dcrat | cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

Analysis

max time kernel
43s
max time network
90s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
Size

1.9MB
MD5

64105cb19ac25a6275c7d929937090a0
SHA1

4b0ab4a6fa17feed05e183029f3a240d7860437d
SHA256

cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c
SHA512

7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6
SSDEEP

49152:McFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMsc:MczpGWdZPHu9WuRx9rrJ

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 1 IoCs

pid	Process
2784	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\cc11b995f2a76d	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\7a0fd90576e088	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
Token: SeDebugPrivilege	2784	OSPPSVC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2916	2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe	30
PID 2072 wrote to memory of 2916	2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe	30
PID 2072 wrote to memory of 2916	2072	cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe	30
PID 2916 wrote to memory of 2928	2916	cmd.exe	32
PID 2916 wrote to memory of 2928	2916	cmd.exe	32
PID 2916 wrote to memory of 2928	2916	cmd.exe	32
PID 2916 wrote to memory of 2752	2916	cmd.exe	33
PID 2916 wrote to memory of 2752	2916	cmd.exe	33
PID 2916 wrote to memory of 2752	2916	cmd.exe	33
PID 2916 wrote to memory of 2784	2916	cmd.exe	35
PID 2916 wrote to memory of 2784	2916	cmd.exe	35
PID 2916 wrote to memory of 2784	2916	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe
"C:\Users\Admin\AppData\Local\Temp\cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898cN.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZSU6ubMnc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2928
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2752
- - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
1.9MB

MD5
64105cb19ac25a6275c7d929937090a0

SHA1
4b0ab4a6fa17feed05e183029f3a240d7860437d

SHA256
cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

SHA512
7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZSU6ubMnc.bat

Filesize
250B

MD5
8d0a11d0750d4f1af6807e02af534163

SHA1
53110c87f4454390a198c7de0ffe80848aedeab2

SHA256
237ac623f66e46db8bad2928ad2f2b544e0a979a1c524e644c48fe5e494ca0f6

SHA512
0c2628de9b29ba72dc17f1b889f65181c052524232c826b681ba3be30a86768a293c41871c2074a6f911b0c8bb5a69d6f2af161ce614fe3215172339a8094ca4

Download Submit
memory/2072-6-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2072-17-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2072-4-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2072-7-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-9-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2072-11-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2072-13-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2072-15-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2072-3-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-19-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2072-21-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-20-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-36-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-39-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-38-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-1-0x0000000000C50000-0x0000000000E4A000-memory.dmp

Filesize
2.0MB

Download
memory/2784-43-0x0000000001070000-0x000000000126A000-memory.dmp

Filesize
2.0MB

Download