dcrat | eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162 | Triage

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 16:46 UTC

Sharing

Report Analysis Logs

General

Target

39080b718b5fd386e181eae293d3dd8e.exe
Size

829KB
MD5

39080b718b5fd386e181eae293d3dd8e
SHA1

d08ff7cf2dd523b14453fc3a2403fc08adc8185e
SHA256

eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162
SHA512

11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff
SSDEEP

12288:KowrLE6IKSq9aZxoHH6+LsHmRWR1httY5B2ycgPATuUc4wGOx:KoevIKSq9aZ46+LR2YeyPPUy4tOx

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1080	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

resource	yara_rule
behavioral1/memory/3064-1-0x0000000000A90000-0x0000000000B66000-memory.dmp	dcrat
behavioral1/files/0x0006000000019931-11.dat	dcrat
behavioral1/memory/2952-21-0x0000000000B80000-0x0000000000C56000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2952	39080b718b5fd386e181eae293d3dd8e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\addins\Idle.exe	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Windows\addins\6ccacd8608530f	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Windows\Vss\Writers\Application\explorer.exe	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Windows\Vss\Writers\Application\7a0fd90576e088	39080b718b5fd386e181eae293d3dd8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2968	schtasks.exe
2852	schtasks.exe
2728	schtasks.exe
1920	schtasks.exe
2708	schtasks.exe
2584	schtasks.exe
2760	schtasks.exe
2556	schtasks.exe
2624	schtasks.exe
3044	schtasks.exe
2068	schtasks.exe
2884	schtasks.exe
2808	schtasks.exe
2740	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	39080b718b5fd386e181eae293d3dd8e.exe
2952	39080b718b5fd386e181eae293d3dd8e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	39080b718b5fd386e181eae293d3dd8e.exe
Token: SeDebugPrivilege	2952	39080b718b5fd386e181eae293d3dd8e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2928	3064	39080b718b5fd386e181eae293d3dd8e.exe	46
PID 3064 wrote to memory of 2928	3064	39080b718b5fd386e181eae293d3dd8e.exe	46
PID 3064 wrote to memory of 2928	3064	39080b718b5fd386e181eae293d3dd8e.exe	46
PID 2928 wrote to memory of 2888	2928	cmd.exe	48
PID 2928 wrote to memory of 2888	2928	cmd.exe	48
PID 2928 wrote to memory of 2888	2928	cmd.exe	48
PID 2928 wrote to memory of 2952	2928	cmd.exe	49
PID 2928 wrote to memory of 2952	2928	cmd.exe	49
PID 2928 wrote to memory of 2952	2928	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\39080b718b5fd386e181eae293d3dd8e.exe
"C:\Users\Admin\AppData\Local\Temp\39080b718b5fd386e181eae293d3dd8e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2888
- - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\39080b718b5fd386e181eae293d3dd8e.exe
    "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\39080b718b5fd386e181eae293d3dd8e.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "39080b718b5fd386e181eae293d3dd8e3" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\39080b718b5fd386e181eae293d3dd8e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "39080b718b5fd386e181eae293d3dd8e" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\39080b718b5fd386e181eae293d3dd8e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "39080b718b5fd386e181eae293d3dd8e3" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\39080b718b5fd386e181eae293d3dd8e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

Network

DNS

olegpivo.tw1.ru

39080b718b5fd386e181eae293d3dd8e.exe

Remote address:

8.8.8.8:53

Request

olegpivo.tw1.ru

IN A

Response

olegpivo.tw1.ru

IN A

94.198.223.74

94.198.223.74:80

olegpivo.tw1.ru

39080b718b5fd386e181eae293d3dd8e.exe

152 B
3
94.198.223.74:80

olegpivo.tw1.ru

39080b718b5fd386e181eae293d3dd8e.exe

152 B
3

8.8.8.8:53

olegpivo.tw1.ru

dns

39080b718b5fd386e181eae293d3dd8e.exe

61 B
77 B
1
1

DNS Request

olegpivo.tw1.ru

DNS Response

94.198.223.74

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat

Filesize
264B

MD5
172ac641128fc0dab08e294c334d2fe6

SHA1
a7620045dfe3b26c1b6c7977d74315616c95145c

SHA256
cb910f449055406635d21a660dcec8d135f77cd80f75bd96e7207e77f12f156f

SHA512
d32609d4f1c3f77c1ebdee4cd5c04b1a0a63d64a9d7808eb2f283f0ec826b742bdfad93177f53bad460f8adbbe9b97343afcfe4e935d1c0c49bc984966a9491e

Download Submit
C:\Windows\addins\Idle.exe

Filesize
829KB

MD5
39080b718b5fd386e181eae293d3dd8e

SHA1
d08ff7cf2dd523b14453fc3a2403fc08adc8185e

SHA256
eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162

SHA512
11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff

Download Submit
memory/2952-21-0x0000000000B80000-0x0000000000C56000-memory.dmp

Filesize
856KB

Download
memory/3064-0-0x000007FEF5663000-0x000007FEF5664000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x0000000000A90000-0x0000000000B66000-memory.dmp

Filesize
856KB

Download
memory/3064-2-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-18-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download