dcrat | 8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe
Size

3.4MB
MD5

7ef00acfc8df431c545e07f3d4862e2a
SHA1

c9623ec807abb692cae9b4f41bc964ada568f4a5
SHA256

8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc
SHA512

878964774c9436646a410e10a37b95ea6ae23aaa42d172bb85c78b3082d7424b7c266ebce1a12466665aea54546d0956d3b2d0d7261143fb71f86a3f8c756ba8
SSDEEP

98304:Gp5lanw2dJ20UXYpNUihy2F8ij2cFlwVF3XlMX:GpGnw2dA0UUUiYiR+FFk

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023bed-66.dat	family_dcrat_v2
behavioral2/memory/4808-67-0x0000000000EE0000-0x0000000001102000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe

Executes dropped EXE 10 IoCs

pid	Process
244	7z.exe
4644	7z.exe
2260	7z.exe
1920	7z.exe
1564	7z.exe
2328	7z.exe
4988	7z.exe
2960	7z.exe
4808	Installer.exe
536	Registry.exe

Loads dropped DLL 8 IoCs

pid	Process
244	7z.exe
4644	7z.exe
2260	7z.exe
1920	7z.exe
1564	7z.exe
2328	7z.exe
4988	7z.exe
2960	7z.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\Registry.exe	Installer.exe
File created	C:\Program Files (x86)\Internet Explorer\ee2ad38f3d4382	Installer.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	Installer.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	Installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OCR\en-us\cmd.exe	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	Installer.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
4808	Installer.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe
536	Registry.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	244	7z.exe
Token: 35	244	7z.exe
Token: SeSecurityPrivilege	244	7z.exe
Token: SeSecurityPrivilege	244	7z.exe
Token: SeRestorePrivilege	4644	7z.exe
Token: 35	4644	7z.exe
Token: SeSecurityPrivilege	4644	7z.exe
Token: SeSecurityPrivilege	4644	7z.exe
Token: SeRestorePrivilege	2260	7z.exe
Token: 35	2260	7z.exe
Token: SeSecurityPrivilege	2260	7z.exe
Token: SeSecurityPrivilege	2260	7z.exe
Token: SeRestorePrivilege	1920	7z.exe
Token: 35	1920	7z.exe
Token: SeSecurityPrivilege	1920	7z.exe
Token: SeSecurityPrivilege	1920	7z.exe
Token: SeRestorePrivilege	1564	7z.exe
Token: 35	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeRestorePrivilege	2328	7z.exe
Token: 35	2328	7z.exe
Token: SeSecurityPrivilege	2328	7z.exe
Token: SeSecurityPrivilege	2328	7z.exe
Token: SeRestorePrivilege	4988	7z.exe
Token: 35	4988	7z.exe
Token: SeSecurityPrivilege	4988	7z.exe
Token: SeSecurityPrivilege	4988	7z.exe
Token: SeRestorePrivilege	2960	7z.exe
Token: 35	2960	7z.exe
Token: SeSecurityPrivilege	2960	7z.exe
Token: SeSecurityPrivilege	2960	7z.exe
Token: SeDebugPrivilege	4808	Installer.exe
Token: SeDebugPrivilege	536	Registry.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2484	5048	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe	83
PID 5048 wrote to memory of 2484	5048	8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe	83
PID 2484 wrote to memory of 1832	2484	cmd.exe	85
PID 2484 wrote to memory of 1832	2484	cmd.exe	85
PID 2484 wrote to memory of 244	2484	cmd.exe	86
PID 2484 wrote to memory of 244	2484	cmd.exe	86
PID 2484 wrote to memory of 4644	2484	cmd.exe	87
PID 2484 wrote to memory of 4644	2484	cmd.exe	87
PID 2484 wrote to memory of 2260	2484	cmd.exe	88
PID 2484 wrote to memory of 2260	2484	cmd.exe	88
PID 2484 wrote to memory of 1920	2484	cmd.exe	89
PID 2484 wrote to memory of 1920	2484	cmd.exe	89
PID 2484 wrote to memory of 1564	2484	cmd.exe	90
PID 2484 wrote to memory of 1564	2484	cmd.exe	90
PID 2484 wrote to memory of 2328	2484	cmd.exe	91
PID 2484 wrote to memory of 2328	2484	cmd.exe	91
PID 2484 wrote to memory of 4988	2484	cmd.exe	92
PID 2484 wrote to memory of 4988	2484	cmd.exe	92
PID 2484 wrote to memory of 2960	2484	cmd.exe	93
PID 2484 wrote to memory of 2960	2484	cmd.exe	93
PID 2484 wrote to memory of 3936	2484	cmd.exe	94
PID 2484 wrote to memory of 3936	2484	cmd.exe	94
PID 2484 wrote to memory of 4808	2484	cmd.exe	95
PID 2484 wrote to memory of 4808	2484	cmd.exe	95
PID 4808 wrote to memory of 1668	4808	Installer.exe	96
PID 4808 wrote to memory of 1668	4808	Installer.exe	96
PID 1668 wrote to memory of 2840	1668	cmd.exe	98
PID 1668 wrote to memory of 2840	1668	cmd.exe	98
PID 1668 wrote to memory of 1152	1668	cmd.exe	99
PID 1668 wrote to memory of 1152	1668	cmd.exe	99
PID 1668 wrote to memory of 536	1668	cmd.exe	101
PID 1668 wrote to memory of 536	1668	cmd.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe
"C:\Users\Admin\AppData\Local\Temp\8f1ccf4c080f4797ec19628b3fb20250a9b97c2fd3e655fd1221b0560fec8dfc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p4658306642333125776751625289 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ua0paSOp4N.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2840
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Internet Explorer\Registry.exe
        
        "C:\Program Files (x86)\Internet Explorer\Registry.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ua0paSOp4N.bat

Filesize
229B

MD5
390c79f04e77caa154a9c29948e4a884

SHA1
34ed8b8a26e25d70474283db744e000861d60fa8

SHA256
e8d5542d9cfe8a4dd3cf864e21faeeecc58083e267603dc6c9c70bbfed3068a3

SHA512
847c83805eb5d200441f1e0ae262710969365d5c0caf6e3395f62df731ad38242f410ae77fea3a72f68c839840ed0df76c014dbfb19ee84f1382586f6f08fd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

Filesize
2.1MB

MD5
b4036128c7ff4c734044f5e9e7ba53b5

SHA1
40968864998e8488f883138c9fd228e2d2bb33b1

SHA256
00a3e3ff92bd1b3940b91e4f5cda30d2afa2e93c90220b91d56037ea7ec75940

SHA512
c5fde840ffc57786223cf49874033b84caa60e4ae6b92bcd7497ceef62e717917d3e55f8372ec2df0d5fe6262dbbb6e3b63a459e97b6032b1ac7b1dba9092acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
a497aa5dab56231fe698956b60508693

SHA1
3889f5a43a4069bd012e542e019bc7e4c03074df

SHA256
4eb57fc22fa4b6d1ab6e3a6aa5a72d3ddfca049cb5d5077c18c9e57d60f3df6c

SHA512
9a3ea2e5b4fc3049e718a6b98876db4fa3ffeb075385a733415f449eabda2c40b289cb1fa1bd630d269af6a82b88997f37ccbf8e6c17198ed298571027a4cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
943KB

MD5
6fba6fdd825cd10f8a9014b87c8fe4ab

SHA1
330433fcdc4149fb4368286830b41064901a65c3

SHA256
155c1c2d7435cdeba2f618d83a635fb4aa5a71a18ed500e32b589e5906971802

SHA512
1e1fe06e99f13e1995aa042a8467e504bc294436feb7d40519b6a374d534c75b1dc313f6ff83d61ceac821ae3e8af3f6b2e376a9a9f14ed8dcd7b10185cbf97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
943KB

MD5
acbcfacf26e4bbe3a6e6a3ef8aacfd1b

SHA1
3b18efc7446c88cf80a6d122e0236038eff81ecb

SHA256
165c5371ef9924bdfea8b3a1f54f6ae0f8b72d85898ff76f4a8d77d57907a878

SHA512
7de4a4aa602a361a21e6c5a8cbe786ca6fae643a0cf5ca7a1e54be06c145e68bda81c8d0e2961f3673c1a87ddb1bb8e245e8ea0a2c82edd21eacc9f9080a2a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
943KB

MD5
c8dccfc008a1e7cdbc20758a41ec042c

SHA1
f1ab82c8c4fdfdd86d7e59990a67b83eab0fb3f3

SHA256
a6ccce53e150338685f92bec51168933276fdaecb11f701ef2e8da4257275f82

SHA512
ca0183b650c27aedfc17f1ea4d96d4f03ce3d99ca62f52586ab1d8e18b45a66ba72540fac8fa3dffa05fefe984d1840d785e802bfe52e5f84a458b34c4492d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
944KB

MD5
cf31e10d32847fb6513ab6ca8c92664b

SHA1
cb2342b36a8d7bf479834e1fdc765c3548aa4342

SHA256
3ce2ed9b784c0f53ea48f3719fa06668aed3077ce1a37bcafd36773eddc2feea

SHA512
7aed841f6c23166f4738817630d6aa430e2533ff7cb50146520df8bd075115aafa44fa9fa813bf1e49414534ddbd59d81154f682372cc7cd968d3458527be280

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
944KB

MD5
40d34a2a420216efe29a46b4fcbaf150

SHA1
1a76914f91ecac48572bff39d52224755a6756c3

SHA256
a69516782c40c05dde2a64c9da3dbcf3c7abffb37408be8bff27bdb66d5baef5

SHA512
474a64711402dfcb5199f4fdc88cae4f296f7c7d843752ab2357a519edefa7a9da5a39379d72f2fc595474d0fbad39a7ccc7ebbdc77e372536225380c3120a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
944KB

MD5
c3894a9664a7d4ccc62ffca6f9109906

SHA1
031fa3e3ae6d43cd1e0b6fa8391d5b30ec967bea

SHA256
b711f0a16a61d789d4624f78fd20849b1d1e83f4037d4242a493ab485229a03e

SHA512
91aba6158052176b049ccfe3afb19f770f4a71a558e5fb3012af517a8d290b92663bcd207dd39fb196386da4c532f3c9b6fe285c73f644638ed847c82357f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
2.5MB

MD5
31d6dd52fc392847b5bdf13199f8c74b

SHA1
b411cffbca67cca0cb1ff8d0edd36b0afc0fe6e3

SHA256
68d36fcb6d5cdc955a9bea92de0019e87b5dce5b26e6534b110c3648ae53b4a1

SHA512
cdb3886b6e1d8bf75ac0e215719542053435d809d76703fe669f6d2e6982fa5588d508bc3885fac9c23bf0917a2e1556fecfd61e6ade5cb3b0b6d45bdc9d133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.5MB

MD5
d8d494a5e14177ece568b03e5fa2951b

SHA1
80569f8b248efe1a7f4d8cddc636baa03fa01224

SHA256
4caebcd0acccc1e631adbd0648a1c63e4baedb1c1e068f77513833e5651a530e

SHA512
d31e18053e2e2ed03d397a2232a2a22967b9c1147cea068cdc81132173ec084bc43140df51a558f512d6d063e1a35c29af131da97b988a7f4a5569968269e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
051802bd0f6ae25a7307ebe5ce07484b

SHA1
56a79893d916411ad24bf56a5efae06053b069e2

SHA256
7b436db4aa8b38625f783e2dc8a750e071585ab4e52a86ab61cabbbbe0869cbe

SHA512
5f0ec679ec4d4c920f4fcb00f993c372aef7e1236ebdef1ceef8e19de7b6bcd6138eb3f98563327d3216cc69ae1bd53b9a15190543890b7d480c25ceb2cee3fe

Download Submit
memory/536-104-0x000000001BAB0000-0x000000001BAC6000-memory.dmp

Filesize
88KB

Download
memory/4808-83-0x000000001C7D0000-0x000000001C81E000-memory.dmp

Filesize
312KB

Download
memory/4808-72-0x000000001C660000-0x000000001C678000-memory.dmp

Filesize
96KB

Download
memory/4808-81-0x000000001C7A0000-0x000000001C7AE000-memory.dmp

Filesize
56KB

Download
memory/4808-80-0x000000001C790000-0x000000001C7A0000-memory.dmp

Filesize
64KB

Download
memory/4808-79-0x000000001C730000-0x000000001C78A000-memory.dmp

Filesize
360KB

Download
memory/4808-77-0x000000001C710000-0x000000001C720000-memory.dmp

Filesize
64KB

Download
memory/4808-76-0x000000001C700000-0x000000001C70E000-memory.dmp

Filesize
56KB

Download
memory/4808-74-0x000000001C690000-0x000000001C6A2000-memory.dmp

Filesize
72KB

Download
memory/4808-73-0x000000001C680000-0x000000001C68E000-memory.dmp

Filesize
56KB

Download
memory/4808-82-0x000000001C7B0000-0x000000001C7C8000-memory.dmp

Filesize
96KB

Download
memory/4808-71-0x000000001C6B0000-0x000000001C700000-memory.dmp

Filesize
320KB

Download
memory/4808-70-0x000000001BB80000-0x000000001BB9C000-memory.dmp

Filesize
112KB

Download
memory/4808-68-0x000000001BB50000-0x000000001BB76000-memory.dmp

Filesize
152KB

Download
memory/4808-78-0x000000001C720000-0x000000001C730000-memory.dmp

Filesize
64KB

Download
memory/4808-75-0x000000001C6A0000-0x000000001C6B6000-memory.dmp

Filesize
88KB

Download
memory/4808-69-0x000000001BB70000-0x000000001BB7E000-memory.dmp

Filesize
56KB

Download
memory/4808-67-0x0000000000EE0000-0x0000000001102000-memory.dmp

Filesize
2.1MB

Download