dcrat | 989dc2b004b38f140c0fe929167166e28ac3c93d90649800f07e7b8fb5f8ef75

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surrogatefont.exe
Size

828KB
MD5

056cc17e4b9ae9299079c6fc289dc195
SHA1

a8926b4bc2a32a8b1247c90d4929ab995aab7d06
SHA256

989dc2b004b38f140c0fe929167166e28ac3c93d90649800f07e7b8fb5f8ef75
SHA512

bdd234f576382ea0a5ec9f088af84286c4d422ca895a9369fe770f95b070789e7ea93ee7539af12c268ad8b3b42c39321b58d5a0f9e13a1245539bdd08f235e7
SSDEEP

12288:9Z6s1lxrBkn2VJsXVme/nMRIplGAT25CjMJmk:y2rBknhFmCyikCjMEk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1964	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2412-1-0x0000000000FB0000-0x0000000001086000-memory.dmp	dcrat
behavioral1/files/0x0005000000019377-11.dat	dcrat
behavioral1/memory/1372-28-0x0000000000AA0000-0x0000000000B76000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1372	csrss.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe	Surrogatefont.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6cb0b6c459d5d3	Surrogatefont.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe	Surrogatefont.exe
File created	C:\Program Files\Windows NT\Accessories\spoolsv.exe	Surrogatefont.exe
File created	C:\Program Files\Windows NT\Accessories\f3b6ecef712a24	Surrogatefont.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\sppsvc.exe	Surrogatefont.exe
File created	C:\Program Files (x86)\Adobe\csrss.exe	Surrogatefont.exe
File created	C:\Program Files (x86)\Adobe\886983d96e3d3e	Surrogatefont.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe	Surrogatefont.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6ccacd8608530f	Surrogatefont.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	Surrogatefont.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	Surrogatefont.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\dwm.exe	Surrogatefont.exe
File created	C:\Windows\ja-JP\6cb0b6c459d5d3	Surrogatefont.exe
File created	C:\Windows\servicing\it-IT\dwm.exe	Surrogatefont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2212	schtasks.exe
1076	schtasks.exe
2640	schtasks.exe
640	schtasks.exe
2984	schtasks.exe
2684	schtasks.exe
1832	schtasks.exe
2820	schtasks.exe
2620	schtasks.exe
2468	schtasks.exe
2628	schtasks.exe
2880	schtasks.exe
2832	schtasks.exe
2768	schtasks.exe
2344	schtasks.exe
592	schtasks.exe
2672	schtasks.exe
2960	schtasks.exe
2868	schtasks.exe
2700	schtasks.exe
3028	schtasks.exe
2176	schtasks.exe
840	schtasks.exe
2336	schtasks.exe
1512	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2412	Surrogatefont.exe
2412	Surrogatefont.exe
2412	Surrogatefont.exe
1372	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	Surrogatefont.exe
Token: SeDebugPrivilege	1372	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1372	2412	Surrogatefont.exe	58
PID 2412 wrote to memory of 1372	2412	Surrogatefont.exe	58
PID 2412 wrote to memory of 1372	2412	Surrogatefont.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Surrogatefont.exe
"C:\Users\Admin\AppData\Local\Temp\Surrogatefont.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\Adobe\csrss.exe
  "C:\Program Files (x86)\Adobe\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ja-JP\dwm.exe

Filesize
828KB

MD5
056cc17e4b9ae9299079c6fc289dc195

SHA1
a8926b4bc2a32a8b1247c90d4929ab995aab7d06

SHA256
989dc2b004b38f140c0fe929167166e28ac3c93d90649800f07e7b8fb5f8ef75

SHA512
bdd234f576382ea0a5ec9f088af84286c4d422ca895a9369fe770f95b070789e7ea93ee7539af12c268ad8b3b42c39321b58d5a0f9e13a1245539bdd08f235e7

Download Submit
memory/1372-28-0x0000000000AA0000-0x0000000000B76000-memory.dmp

Filesize
856KB

Download
memory/2412-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000000FB0000-0x0000000001086000-memory.dmp

Filesize
856KB

Download
memory/2412-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-27-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download