dcrat | 7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
Size

1.9MB
MD5

f719f4f498186fbfd62d72033504caf8
SHA1

a4ead2d16a1e7b3042da127dc4a41d39bc9d726a
SHA256

7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8
SHA512

cacc0af0c39c8d96a0222a351c42e29cef96aaf54ecdc4b539587534317b4bacd42bddcea21a0b4bebd200bf41172105c7773154e2d1adee78374901c0579629
SSDEEP

49152:McFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMscS:MczpGWdZPHu9WuRx9rrJh

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Executes dropped EXE 1 IoCs

pid	Process
3212	Registry.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\de-DE\sihost.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\66fc9ff0ee96c2	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files\Internet Explorer\ja-JP\Registry.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ee2ad38f3d4382	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Panther\setup.exe\spoolsv.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File opened for modification	C:\Windows\Panther\setup.exe\spoolsv.exe	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
File created	C:\Windows\Panther\setup.exe\f3b6ecef712a24	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3212	Registry.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
Token: SeDebugPrivilege	3212	Registry.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 4132	1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe	83
PID 1572 wrote to memory of 4132	1572	7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe	83
PID 4132 wrote to memory of 3716	4132	cmd.exe	85
PID 4132 wrote to memory of 3716	4132	cmd.exe	85
PID 4132 wrote to memory of 2552	4132	cmd.exe	86
PID 4132 wrote to memory of 2552	4132	cmd.exe	86
PID 4132 wrote to memory of 3212	4132	cmd.exe	88
PID 4132 wrote to memory of 3212	4132	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe
"C:\Users\Admin\AppData\Local\Temp\7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IXKu82FS0v.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2552
- - C:\Program Files\Internet Explorer\ja-JP\Registry.exe
    "C:\Program Files\Internet Explorer\ja-JP\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe

Filesize
1.9MB

MD5
f719f4f498186fbfd62d72033504caf8

SHA1
a4ead2d16a1e7b3042da127dc4a41d39bc9d726a

SHA256
7f8eafb60265080243209b6c045d0381a4ea09b58eac9000c83253cc05b06ea8

SHA512
cacc0af0c39c8d96a0222a351c42e29cef96aaf54ecdc4b539587534317b4bacd42bddcea21a0b4bebd200bf41172105c7773154e2d1adee78374901c0579629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXKu82FS0v.bat

Filesize
229B

MD5
83cadd4e1e40b99f7fe3c13d987fc952

SHA1
7904027c68c3839fad493cd33b6360e2a17f48e0

SHA256
830a3adb766cb7aaf55fabdda69461941c32c9732a96a1dacf772c42bdf81b00

SHA512
78a03e4fd3b57d12cb1d0f40ad0e2497ec8d516eaf8c3236da548f2f6563b3f9a26fabcd1ce7e3cae4ecff90ef7ae8c7b09e5823b0dd8a901cd85897d6ff0b38

Download Submit
memory/1572-7-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/1572-4-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-19-0x0000000002550000-0x000000000255E000-memory.dmp

Filesize
56KB

Download
memory/1572-5-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-0-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

Filesize
8KB

Download
memory/1572-8-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-10-0x00000000025B0000-0x00000000025CC000-memory.dmp

Filesize
112KB

Download
memory/1572-11-0x000000001B020000-0x000000001B070000-memory.dmp

Filesize
320KB

Download
memory/1572-21-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/1572-15-0x0000000002530000-0x000000000253E000-memory.dmp

Filesize
56KB

Download
memory/1572-1-0x0000000000260000-0x000000000045A000-memory.dmp

Filesize
2.0MB

Download
memory/1572-3-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-13-0x00000000025D0000-0x00000000025E8000-memory.dmp

Filesize
96KB

Download
memory/1572-22-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-23-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-29-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-2-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-32-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-40-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-43-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-44-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/1572-17-0x0000000002540000-0x000000000254E000-memory.dmp

Filesize
56KB

Download