dcrat | 4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe
Size

2.3MB
MD5

517d21cbe45c2a88930aa345c2a5c36b
SHA1

f8c2b259ed15eb455fc345f54a9ef9b0aace552c
SHA256

4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9
SHA512

b912bf7ea3fc0e929890ce6048e89ab797b0ebf4b54e87989bdf4f2eb06cb68e1accd52200105c1079336ba57525aa200cd48c769e24ce1827906948d6f28d3f
SSDEEP

49152:IBJQcFZTdUJWxOOZPHst87uOLOkMRxJgSrSmMsce:yOczpGWdZPHu9WuRx9rrJT

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 2 IoCs

pid	Process
2684	ChainFontruntimeCrt.exe
1968	ChainFontruntimeCrt.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	cmd.exe
2900	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\System.exe	ChainFontruntimeCrt.exe
File created	C:\Windows\Installer\27d1bcfc3c54e0	ChainFontruntimeCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1636	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1636	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe
2684	ChainFontruntimeCrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1968	ChainFontruntimeCrt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	ChainFontruntimeCrt.exe
Token: SeDebugPrivilege	1968	ChainFontruntimeCrt.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2800	1152	4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe	31
PID 1152 wrote to memory of 2800	1152	4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe	31
PID 1152 wrote to memory of 2800	1152	4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe	31
PID 1152 wrote to memory of 2800	1152	4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe	31
PID 2800 wrote to memory of 2900	2800	WScript.exe	32
PID 2800 wrote to memory of 2900	2800	WScript.exe	32
PID 2800 wrote to memory of 2900	2800	WScript.exe	32
PID 2800 wrote to memory of 2900	2800	WScript.exe	32
PID 2900 wrote to memory of 2684	2900	cmd.exe	34
PID 2900 wrote to memory of 2684	2900	cmd.exe	34
PID 2900 wrote to memory of 2684	2900	cmd.exe	34
PID 2900 wrote to memory of 2684	2900	cmd.exe	34
PID 2684 wrote to memory of 2968	2684	ChainFontruntimeCrt.exe	35
PID 2684 wrote to memory of 2968	2684	ChainFontruntimeCrt.exe	35
PID 2684 wrote to memory of 2968	2684	ChainFontruntimeCrt.exe	35
PID 2968 wrote to memory of 2284	2968	cmd.exe	37
PID 2968 wrote to memory of 2284	2968	cmd.exe	37
PID 2968 wrote to memory of 2284	2968	cmd.exe	37
PID 2968 wrote to memory of 1636	2968	cmd.exe	38
PID 2968 wrote to memory of 1636	2968	cmd.exe	38
PID 2968 wrote to memory of 1636	2968	cmd.exe	38
PID 2968 wrote to memory of 1968	2968	cmd.exe	39
PID 2968 wrote to memory of 1968	2968	cmd.exe	39
PID 2968 wrote to memory of 1968	2968	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe
"C:\Users\Admin\AppData\Local\Temp\4b9cb0b6b953edda63999ddd41656c7c509cfb02298eaac8929010c29971cec9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\ChainagentComponent\ChainFontruntimeCrt.exe
      "C:\ChainagentComponent/ChainFontruntimeCrt.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04rQ2VfD5B.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2284
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
      - C:\ChainagentComponent\ChainFontruntimeCrt.exe
        
        "C:\ChainagentComponent\ChainFontruntimeCrt.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainagentComponent\PWC9d9T0TgxIE17d8kEvKaBzSy5sS4bSkqUfKmaENJQQSQ4ECN.vbe

Filesize
252B

MD5
82ea3a77040d884456b51fc284d887a3

SHA1
e5caba4399ce043a758f78840d2323ffce3d41b8

SHA256
345cb6db98f74263a91a2dabde35f4d2af5bbb909f1904d7b9b1d5d75864a2d8

SHA512
79147ccbd6bafbeec3d7d21fc0e3f0f85cb340e54263b2925b42bbda539d9f5b921d8e9dc950e51a7a1da942ae75988a92470dac6c6e73fdbef76047eefafd91

Download Submit
C:\ChainagentComponent\q14QT1c6LK4xpgG0MrqndXYweJYHdEecuYXEv1hUkMNQcqj9DhhAaajtNw.bat

Filesize
77B

MD5
21c1a26270a6ac361060ef54b50810bc

SHA1
11d3abd6d008458760130e6ffcc61d812a976094

SHA256
4e5619470e12d0f050c33e88f7075267812240fcf2f38e8732486eea3967ac40

SHA512
42fa950a07f5edd1c48f6523395ed1816ee1b31eb9d8b905e3c92c31dec692465862bff4a840c845d879b1447593ffeff5924fd0ab4206061df257c2dc980ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\04rQ2VfD5B.bat

Filesize
174B

MD5
ddd8a3abc4c4124912fd92eeb3ba2815

SHA1
5b0c643498c73cc486a1f22b5471894644d26530

SHA256
72dbc0059c80f090781a4b7f59792447d88383338a3b038f1069c3350f263074

SHA512
e8d83534eb9c8a8e5bb0a08b059750408e150d0add290aad1b9cc58a2c1f6921e2b81ee779df2835cc0305a18bd07628546f50516e9e9c63a926e991a7e4d5c1

Download Submit
\ChainagentComponent\ChainFontruntimeCrt.exe

Filesize
1.9MB

MD5
64105cb19ac25a6275c7d929937090a0

SHA1
4b0ab4a6fa17feed05e183029f3a240d7860437d

SHA256
cb2f1aca28fcb0a43b1a256a1728a087efed3d8144f0657c3dd5f4d5a0a6898c

SHA512
7152d54def3ff633787549e7353330b949bb51af3753b77a52b6fa24465ce635c985cbe28d7fc8ecbe4fe4e7b0b39933f79ad4e56817aac45f8abffc0918e4b6

Download Submit
memory/1968-45-0x0000000000230000-0x000000000042A000-memory.dmp

Filesize
2.0MB

Download
memory/2684-19-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/2684-17-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/2684-21-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2684-23-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2684-25-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/2684-27-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2684-15-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2684-13-0x0000000000340000-0x000000000053A000-memory.dmp

Filesize
2.0MB

Download