dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Resubmissions

09-01-2025 02:23

250109-cvdvbawqem 10

Analysis

max time kernel
23s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fontdrvhost.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1248	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1248	schtasks.exe	83

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	spoolsv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\sihost.exe	fontdrvhost.exe
File created	C:\Program Files (x86)\Google\Update\66fc9ff0ee96c2	fontdrvhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe	fontdrvhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24	fontdrvhost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\fontdrvhost.exe	fontdrvhost.exe
File created	C:\Windows\ShellComponents\5b884080fd4f94	fontdrvhost.exe
File created	C:\Windows\OCR\ja-jp\taskhostw.exe	fontdrvhost.exe
File created	C:\Windows\es-ES\RuntimeBroker.exe	fontdrvhost.exe
File created	C:\Windows\es-ES\9e8d7a4ca61bd9	fontdrvhost.exe
File created	C:\Windows\ja-JP\winlogon.exe	fontdrvhost.exe
File opened for modification	C:\Windows\ja-JP\winlogon.exe	fontdrvhost.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	fontdrvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3360	PING.EXE
2280	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3360	PING.EXE
2280	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4032	schtasks.exe
3708	schtasks.exe
2448	schtasks.exe
1304	schtasks.exe
3340	schtasks.exe
3276	schtasks.exe
3532	schtasks.exe
2164	schtasks.exe
4740	schtasks.exe
3500	schtasks.exe
1824	schtasks.exe
4428	schtasks.exe
4544	schtasks.exe
4444	schtasks.exe
3496	schtasks.exe
2824	schtasks.exe
1372	schtasks.exe
5088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe
2312	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	fontdrvhost.exe
Token: SeDebugPrivilege	2408	spoolsv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3332	2312	fontdrvhost.exe	102
PID 2312 wrote to memory of 3332	2312	fontdrvhost.exe	102
PID 3332 wrote to memory of 4492	3332	cmd.exe	104
PID 3332 wrote to memory of 4492	3332	cmd.exe	104
PID 3332 wrote to memory of 3360	3332	cmd.exe	105
PID 3332 wrote to memory of 3360	3332	cmd.exe	105
PID 3332 wrote to memory of 2408	3332	cmd.exe	114
PID 3332 wrote to memory of 2408	3332	cmd.exe	114
PID 2408 wrote to memory of 2020	2408	spoolsv.exe	119
PID 2408 wrote to memory of 2020	2408	spoolsv.exe	119
PID 2020 wrote to memory of 2088	2020	cmd.exe	121
PID 2020 wrote to memory of 2088	2020	cmd.exe	121
PID 2020 wrote to memory of 2280	2020	cmd.exe	122
PID 2020 wrote to memory of 2280	2020	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe
"C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDosnE7F5T.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4492
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3360
- - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe
    "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CtBPmh6epj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2088
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CtBPmh6epj.bat

Filesize
203B

MD5
e0e20fbc16966ab52bdc3f76e3c248b9

SHA1
fcabb6c96d63d65148403896e25bcfbe181f0ecc

SHA256
a59c4192e74185d37d760d3ab350b1d836158c6364beda24523d64504247e354

SHA512
fc11ce463f26fccc81521898360da4882c0f8af8dd8c73f888ee34a6196051bdcbdc02b07e3494aa28339daea88aa83441eabb09f54307eb2d328be35549175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDosnE7F5T.bat

Filesize
203B

MD5
de9272b4979fb967995d85aad4cffbff

SHA1
f05c84d0fb30db288cce078ccacb2cf1bc524d86

SHA256
703a33c63d623af86cb1340c7d0f0d4e8022521fac26f0a904f2c8de543fdf00

SHA512
65f48fcd418c974eca015acc09b5b9ee497d6abfd72f01585d7db841e3b8bfaa0bd4d0d80f7f416b9c7b91b63834313b3d4e21c9dfa7615118572c8a90e665a4

Download Submit
C:\Windows\es-ES\RuntimeBroker.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
memory/2312-4-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-13-0x00000000027C0000-0x00000000027D8000-memory.dmp

Filesize
96KB

Download
memory/2312-6-0x0000000002710000-0x000000000271E000-memory.dmp

Filesize
56KB

Download
memory/2312-7-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-8-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-10-0x00000000027A0000-0x00000000027BC000-memory.dmp

Filesize
112KB

Download
memory/2312-11-0x0000000002810000-0x0000000002860000-memory.dmp

Filesize
320KB

Download
memory/2312-0-0x00007FFE584C3000-0x00007FFE584C5000-memory.dmp

Filesize
8KB

Download
memory/2312-14-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-3-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-26-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-27-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-28-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-34-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-2-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2312-1-0x0000000000470000-0x0000000000642000-memory.dmp

Filesize
1.8MB

Download