dcrat | 7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
Size

1.9MB
MD5

f719f4f498186fbfd62d72033504caf8
SHA1

a4ead2d16a1e7b3042da127dc4a41d39bc9d726a
SHA256

7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8
SHA512

cacc0af0c39c8d96a0222a351c42e29cef96aaf54ecdc4b539587534317b4bacd42bddcea21a0b4bebd200bf41172105c7773154e2d1adee78374901c0579629
SSDEEP

49152:McFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMscS:MczpGWdZPHu9WuRx9rrJh

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 1 IoCs

pid	Process
2776	System.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Idle.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files\Google\Chrome\6ccacd8608530f	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\Uninstall Information\System.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\WmiPrvSE.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Windows\twain_32\24dbde2999530e	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2892	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2892	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
Token: SeDebugPrivilege	2776	System.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 3060	1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe	31
PID 1416 wrote to memory of 3060	1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe	31
PID 1416 wrote to memory of 3060	1416	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe	31
PID 3060 wrote to memory of 2880	3060	cmd.exe	34
PID 3060 wrote to memory of 2880	3060	cmd.exe	34
PID 3060 wrote to memory of 2880	3060	cmd.exe	34
PID 3060 wrote to memory of 2892	3060	cmd.exe	35
PID 3060 wrote to memory of 2892	3060	cmd.exe	35
PID 3060 wrote to memory of 2892	3060	cmd.exe	35
PID 3060 wrote to memory of 2776	3060	cmd.exe	36
PID 3060 wrote to memory of 2776	3060	cmd.exe	36
PID 3060 wrote to memory of 2776	3060	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
"C:\Users\Admin\AppData\Local\Temp\7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KXaIEASPZV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2880
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2892
- - C:\Program Files (x86)\Uninstall Information\System.exe
    "C:\Program Files (x86)\Uninstall Information\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

Filesize
1.9MB

MD5
f719f4f498186fbfd62d72033504caf8

SHA1
a4ead2d16a1e7b3042da127dc4a41d39bc9d726a

SHA256
7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8

SHA512
cacc0af0c39c8d96a0222a351c42e29cef96aaf54ecdc4b539587534317b4bacd42bddcea21a0b4bebd200bf41172105c7773154e2d1adee78374901c0579629

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXaIEASPZV.bat

Filesize
183B

MD5
00519e53b03b5e17935a2e9908339e13

SHA1
3280cc0e4c374ef5a7c20c4f6032f4e0a47e3a46

SHA256
7bc72cec716b7e18e2aa9fdc15dd5c95a8ed39b37edc0d013d192a3c186bd095

SHA512
64394f59bf66dff4a4d86a2de59a80d5ad46e3a03fbdd3565112bb064802faafa25dced597f1401cb3003af3056903a9ebaacbd89b2b535d970008d6c32956f1

Download Submit
memory/1416-21-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-15-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/1416-4-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-6-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1416-13-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-12-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/1416-20-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-19-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1416-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/1416-17-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/1416-22-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-3-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-23-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-10-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/1416-8-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/1416-24-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-25-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-41-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-1-0x0000000000B50000-0x0000000000D4A000-memory.dmp

Filesize
2.0MB

Download
memory/2776-45-0x0000000001370000-0x000000000156A000-memory.dmp

Filesize
2.0MB

Download