Overview

overview

10

Static

static

10

DCRatBuild.exe

windows10-ltsc 2021-x64

10

DCRatBuild.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-01-2025 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.3MB

  • MD5

    eec69775acc89f2f67ecb0d80dc029a5

  • SHA1

    dcd800fd58fec732c0feae2febfe947f45d3944e

  • SHA256

    6e493132db3dfb86fe69552649d14eee2771430d42ff1a50f96e3e640acbf2f0

  • SHA512

    efb125891360665b85c5b11004da2de33e2f13abcf9406aa13ceb222e5ccbf5779d802cedf0f27f8e41d1a84d523a6a279e6d1bf303e035369f0bfe426457053

  • SSDEEP

    24576:u2G/nvxW3WieCGKjeM+4v4Rr6joRBbULA70dqMgkXIdu3GbyP+m:ubA3jGKTmMmULA7CbId8Gbo

Score
10/10
dcratdiscoveryevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCrt\v4EBhvwDDus8dpGTc7sOOHNMF.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontCrt\8nndisOR96jQX.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3920
        • C:\FontCrt\mscontainer.exe
          "C:\FontCrt\mscontainer.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\FontCrt\unsecapp.exe
            "C:\FontCrt\unsecapp.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\FontCrt\unsecapp.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\FontCrt\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\FontCrt\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Hydrogen\BakedPlugins\Physics\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\Hydrogen\BakedPlugins\Physics\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\Hydrogen\BakedPlugins\Physics\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\FontCrt\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\FontCrt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1792
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\FontCrt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Oracle\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:256
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FontCrt\8nndisOR96jQX.bat
    Filesize

    140B

    MD5

    737a23a43a713bfbc620911d72b08568

    SHA1

    2d28cdd42b491dc5a71c263f4de89a9b267c3b2e

    SHA256

    cae33e20f4d512b20b7d8a8ced8ff2dbfecdd5af4bdf2cfa894e4392063ed7ac

    SHA512

    c07da131453f034e4d2350eaa2b66a14cece703f1f05f25460720fb866ba289d8ebfaf50b9252f644d8dae831b49bfb1fd700d00e2dd2e29ba534ce22d30c02e

    Download Submit

  • C:\FontCrt\mscontainer.exe
    Filesize

    1.0MB

    MD5

    90a9b016691488e01001035d6e3c7332

    SHA1

    41c1ad2edb97e455fb1dd42af6aa42bccf2ca6e7

    SHA256

    ed8edc329949c6ef8d6ea189e07636bfb51d9153f3bbe25876ea6d2ce0437ba6

    SHA512

    f427654e3312e42368d8c3c4cf7060747e5cfea28b86712e7fcafc1645dcae82469db05b3d2f38346e34c9f668d35ea5ab6ef65a69862840eda31b6cd7a8c529

    Download Submit

  • C:\FontCrt\v4EBhvwDDus8dpGTc7sOOHNMF.vbe
    Filesize

    197B

    MD5

    eebc6c035f2d4b3627375f3ff2d7a83b

    SHA1

    efd05b0496a20d6007002b94a187e868f3cf828f

    SHA256

    dedfb300ca692b2ae95643f1bbd7fb33253673d57991e9dedf47362b3a5741f4

    SHA512

    de4e387db50cae06ae408b7f9947c2413cdc9d94c663156c80f6b2151c66f9c530753969a744d62efe972cd00624bbb9b75a20b124276957b31138c5ba966be6

    Download Submit

  • memory/3152-12-0x00007FFF338B3000-0x00007FFF338B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3152-13-0x0000000000A30000-0x0000000000B3C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3152-14-0x000000001B6B0000-0x000000001B6C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3152-15-0x0000000002D80000-0x0000000002D8E000-memory.dmp

    Filesize

    56KB

    Download