dcrat | 877671c4a555e37e34c6b9ecab2cc958b28cc9617c6f53e3841a6386de180e19

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d213353948aba4d80c28823d8661951.exe
Size

1.8MB
MD5

3d213353948aba4d80c28823d8661951
SHA1

8c7dadac2ee5f348a8940ab47187b39fd025bead
SHA256

877671c4a555e37e34c6b9ecab2cc958b28cc9617c6f53e3841a6386de180e19
SHA512

36ba2c76563094e5c8248a05c088ad9c496573ccb6a9799759c38ef77f89e61b9832c617abc7322646c7c029ec8e573f82a4a1cc25b656bee5af82a188cab6c1
SSDEEP

24576:/r34Nhem94rOh31QzGpKHaHYSvvv22db+PowhGhomMJV4ynedX4QD/d5lBxdU7it:/I6g1AqY2v22pVfSJKyiXRd5lKu

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	824	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	824	schtasks.exe	82

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3d213353948aba4d80c28823d8661951.exe

Executes dropped EXE 1 IoCs

pid	Process
1276	Idle.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	3d213353948aba4d80c28823d8661951.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	3d213353948aba4d80c28823d8661951.exe
File created	C:\Program Files\ModifiableWindowsApps\explorer.exe	3d213353948aba4d80c28823d8661951.exe
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	3d213353948aba4d80c28823d8661951.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4032	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	3d213353948aba4d80c28823d8661951.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4032	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe
1092	schtasks.exe
3568	schtasks.exe
2428	schtasks.exe
3116	schtasks.exe
4940	schtasks.exe
2408	schtasks.exe
2280	schtasks.exe
368	schtasks.exe
4756	schtasks.exe
4160	schtasks.exe
4876	schtasks.exe
3084	schtasks.exe
1892	schtasks.exe
4432	schtasks.exe
996	schtasks.exe
1076	schtasks.exe
5048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe
348	3d213353948aba4d80c28823d8661951.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	3d213353948aba4d80c28823d8661951.exe
Token: SeDebugPrivilege	1276	Idle.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 3980	348	3d213353948aba4d80c28823d8661951.exe	101
PID 348 wrote to memory of 3980	348	3d213353948aba4d80c28823d8661951.exe	101
PID 3980 wrote to memory of 632	3980	cmd.exe	103
PID 3980 wrote to memory of 632	3980	cmd.exe	103
PID 3980 wrote to memory of 4032	3980	cmd.exe	104
PID 3980 wrote to memory of 4032	3980	cmd.exe	104
PID 3980 wrote to memory of 1276	3980	cmd.exe	111
PID 3980 wrote to memory of 1276	3980	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d213353948aba4d80c28823d8661951.exe
"C:\Users\Admin\AppData\Local\Temp\3d213353948aba4d80c28823d8661951.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QMJej92E5n.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:632
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4032
- - C:\Recovery\WindowsRE\Idle.exe
    "C:\Recovery\WindowsRE\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d213353948aba4d80c28823d86619513" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\3d213353948aba4d80c28823d8661951.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d213353948aba4d80c28823d8661951" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3d213353948aba4d80c28823d8661951.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d213353948aba4d80c28823d86619513" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\3d213353948aba4d80c28823d8661951.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QMJej92E5n.bat

Filesize
158B

MD5
058989fbe95f49d66215340e688ff7ab

SHA1
3b77a329e33a3205478db07c41116ce2c601c2a9

SHA256
79e4deebfbfc0202622767738910fd1276accc7adb23293f42cef8f1952bbea5

SHA512
a07302ca3a6f65323eaa6f94cb1496b08510137e617c16825986fe3c7d97a987b9423c3bfd2a7f1957ddb9e21848965681ea99f79ba45ca376036703180d683d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\taskhostw.exe

Filesize
1.8MB

MD5
3d213353948aba4d80c28823d8661951

SHA1
8c7dadac2ee5f348a8940ab47187b39fd025bead

SHA256
877671c4a555e37e34c6b9ecab2cc958b28cc9617c6f53e3841a6386de180e19

SHA512
36ba2c76563094e5c8248a05c088ad9c496573ccb6a9799759c38ef77f89e61b9832c617abc7322646c7c029ec8e573f82a4a1cc25b656bee5af82a188cab6c1

Download Submit
memory/348-14-0x00000000031B0000-0x00000000031BE000-memory.dmp

Filesize
56KB

Download
memory/348-15-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-4-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-6-0x00000000031A0000-0x00000000031AE000-memory.dmp

Filesize
56KB

Download
memory/348-7-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-9-0x000000001B9F0000-0x000000001BA0C000-memory.dmp

Filesize
112KB

Download
memory/348-10-0x000000001BED0000-0x000000001BF20000-memory.dmp

Filesize
320KB

Download
memory/348-12-0x000000001BA10000-0x000000001BA28000-memory.dmp

Filesize
96KB

Download
memory/348-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/348-3-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-25-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-28-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-29-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-30-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-31-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-37-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/348-1-0x0000000000CE0000-0x0000000000EBE000-memory.dmp

Filesize
1.9MB

Download