Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16/01/2025, 16:43
General
-
Target
DCRatBuild.exe
-
Size
1.2MB
-
MD5
1c4d40bb27938ee8ccbe1b09a8a76ba6
-
SHA1
dc2266dc5b7b265221c7c9315267067c8fe76d92
-
SHA256
ee930b7c7d01783de8fb24c9f40924a4e9da49033951a450c63d046f2a2ce3ee
-
SHA512
7cb63784b5eeaf73941c2f425d3bcdea4200510929f2e9ba4ff4e6c3983e61fc4514d3a66a5405b8b1c052d07a8cd9784693a4ed26a0656c7d6b7b80121d1daa
-
SSDEEP
24576:GTbBv5rU8/38TnIPZKN9OJMA+53iE0n3g6s:4BtMTnIPkNomA+53KO
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortSession\xqpjHHWRGdTYQyx20.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortSession\XDYOLPKRHAKuDwHqW0UccJnByucTvFaFH95cpSWEjfuEIuyo.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\PortSession\MshyperwinSaves.exe"C:\PortSession/MshyperwinSaves.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnhq0gbq\rnhq0gbq.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE290.tmp" "c:\Windows\System32\CSCD0E1C3709A864F4AB41821BAC275A788.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jq77Y2cx20.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\PortSession\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\PortSession\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\PortSession\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MshyperwinSavesM" /sc MINUTE /mo 8 /tr "'C:\PortSession\MshyperwinSaves.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MshyperwinSaves" /sc ONLOGON /tr "'C:\PortSession\MshyperwinSaves.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MshyperwinSavesM" /sc MINUTE /mo 11 /tr "'C:\PortSession\MshyperwinSaves.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769KB
MD548c98103b76113d37315de842cc11bdf
SHA15959ea78e7ea2a9dcff50b432e3686a4d92661d9
SHA25671b5e69d1ab4582171d652798fba517dd42fac91d468307df032ca34a1b2bf9d
SHA512b839a914a29d0b7494c95ef114bb755cf9d3c78a07b83a754203b8d1a3cd40bfa98b6d7b4306a74c75d9c3e52ff2ab9efa4048938b0635109650cd7cebd06ab9
-
Filesize
185B
MD540eeacbd45b33b136564acdeef820b82
SHA188310d13eec561a6520301af8898d2ba2f48037e
SHA256d823cda4ea7894f7826a6a35448d3595d62af25dcd29617cc9c1c34d6b7a2417
SHA512b00458f55e952c0342d48fb9381fd59d652ce3314c65ac1472c93fc0c71c1b58231192d73b8df71b29aa947695529a75ffc2bdef74b15f42065ed5dcf9c4cf96
-
Filesize
238B
MD57f993365424b1bdc372346ab3492e407
SHA1c558488f2d0a827390c503611f7e780bd8f16847
SHA2563552a0f16d69b1cd44fb195a06e8f3dd6a5677dd0ddb1b2417d41fce95065835
SHA51243ea73d8d4224a7fd86735cf8a19c24ee5c167fadfe93ff3da4af20754d49ce9f7eca35f7286ffc1d821118c10891691769fc6da252b94808214462bc4e7c882
-
Filesize
177B
MD56915d1cd459e96ca11218a311f6bcc92
SHA151045fb1acdacaef6d59bfbb78f19cf7aadec638
SHA256038b3cf2e2458caacfccc2dcf65f2bbfe727afeb26fd29f036d6cede1001c68c
SHA5127b023e478e9517afb5ab2da874825c79a90191218a8d55d26db72051d1b7d41fbb939a39739a06969d30419fb1ad606674099a42da26e374e4e54fe0301e0ae2
-
Filesize
1KB
MD550bdd1e1b97ca4c597f50c2d0c06726e
SHA1fc212ff7c54e6f3d1143380d3f9b74fae0f6c1d0
SHA2568d967ececf0d8d4f5417f62e51c9a7c7c0e5e491f5ddab587626f7f50b559671
SHA5128b76c28b9ac85a6d2965b4f608d84c35c3565743d38501bd8effdc698103e6da5e96a7e60e19817880ecb6c6aa97ce41c211128a70be87c3b678f6fd9697bba6
-
Filesize
355B
MD577bf519ad3015b3ae6ee4dc7c2aa6cf1
SHA1cbe90c54a38ad16836f99e7acbf664fb6ad61dab
SHA256ac966000e284ca930f475a2fe76b6786cef9ff29f9d7909724e995dea8d2433a
SHA5123d0eb95422931d174741499b81b3a6d91e918bf679b29e8a1de0039c62206b8c7d67f30a4ee99f36257c5fbd9f5906f9cfa61f75bdaf7dbe11aeaab069e5b22b
-
Filesize
235B
MD55e3f96c25381d835c80e8a22a0862526
SHA1383aeee6301e8014093b614535b85a0757e0310c
SHA2560f75d899045a6a769d6d059f8ebc2002bbf9ef70032b084a4bf9f742a5d56990
SHA5120fefc32bb0a6fa491367c113ef7cf04fe8043c5b0a76b2216312e8d0ee08008ace00cd98a460367466111bc9af7208fbc9f38e1f588cdb04e21049f5d26cc42f
-
Filesize
1KB
MD582a7b8ef3bc275711e3b27c6df93c7ff
SHA1bdac909f26475c94c74145576bcf22adb0f8203c
SHA256582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248
-
Filesize
792KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
820KB
-
Filesize
56KB