Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    811KB

  • MD5

    2e4246ce82069e5e1f389e556634d683

  • SHA1

    2beb8cbe24d8775df79abaeb38fae72e96719d08

  • SHA256

    c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c

  • SHA512

    db52a5460d82bd1d8a250b2de68e3f0b55e7dbb044ccaf034484782cc2a7bc8e5c546954d3b6587b65be63181bf5f8c0603619d8438fb1c14744438fe78e66a8

  • SSDEEP

    12288:kKIIhtQY47i/eIFdRgbE1ooBQdpW3Ari4VVyZC0+1cXOoxPRq/6:kCaY4gFdRgbiooBQd3iE0n/xa6

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qmjrkgv4\qmjrkgv4.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B41.tmp" "c:\Windows\System32\CSC3DDE4E4B38D4944B832EAFD514EB3.TMP"
        3⤵
          PID:1672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsm.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ScZaMetbBR.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2536
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1372
          • C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe
            "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DCRatBuildD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DCRatBuild" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "DCRatBuildD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2128

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\lsm.exe
        Filesize

        811KB

        MD5

        2e4246ce82069e5e1f389e556634d683

        SHA1

        2beb8cbe24d8775df79abaeb38fae72e96719d08

        SHA256

        c890d39d06a7d437d44a92b4a3f98e55c9cfb112b9ae8955d098dd5e1b93cd9c

        SHA512

        db52a5460d82bd1d8a250b2de68e3f0b55e7dbb044ccaf034484782cc2a7bc8e5c546954d3b6587b65be63181bf5f8c0603619d8438fb1c14744438fe78e66a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES6B41.tmp
        Filesize

        1KB

        MD5

        1c9fb93063c08a986fa2b82fb41ac689

        SHA1

        5bcb87a07fccf532ee6a5753ff9b914f527b0deb

        SHA256

        73e233d4d3a4504b126503bf8cbdad346aff92fa9afc2d1c6b7e486d095bb7ae

        SHA512

        fefe8f57bb30070edaf6126a86d1e27c0d0308893085f09034925194392270dc77a56cfe953ea2f6d6f7c2e6cf931f9388f800426cd4bef0a4db2bce848ecd54

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ScZaMetbBR.bat
        Filesize

        189B

        MD5

        7066320aed78e95eee290eb6d82760ed

        SHA1

        c7585114a4ae53aa4443048f62a8bb3c095b6f61

        SHA256

        972292ee173883ca96481b3b2c74a242c93ba54b856721405696674b114adf92

        SHA512

        d4cfdff7dd39dbb9e2b37992ce1f76b95f9b8d4a89a70dd02338b9fede65d481b866147dd14142f9df5b4e386c25345fba9341325d3e15a3ed92b962fe2b41c1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        830b17ac0b36a2504ec08029dccc4c9c

        SHA1

        eecb2a30e990ef26b4cc34e458cce0c04105d32a

        SHA256

        d6f9c161f3d6f031095d1b0474cca2b7d2d29a48fb5e3332917b7e317b181401

        SHA512

        075cb499743a151257cfa0718e1da493b034e699ae94488ac0538134d5d12428028538836309655ac4150011f876dcf0eb677c4e8ed6aadf7dedafddd202ef68

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\qmjrkgv4\qmjrkgv4.0.cs
        Filesize

        402B

        MD5

        2b7133e17c80731f2130b0f003c49333

        SHA1

        184d9ec4f77b8d112b00693662c72237ff33bdf8

        SHA256

        754c74c53cc28aa7bcef16a1cc4b3ede2ffc61bd4f9e308344ffe124949a17f8

        SHA512

        7dd18824af26d44313d7cf3a98c29335bdde1d40791afc5587eeddb1dd2a959c6da78281dee9a909ea81260ea1728a787c6fd208f388a138399dedb3727ac981

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\qmjrkgv4\qmjrkgv4.cmdline
        Filesize

        235B

        MD5

        c3202f23c882f203f8a668c5b3e1219a

        SHA1

        6f95eb50d0faca2eb1d0be6da770e82d63e1b16b

        SHA256

        f2e8add9368a59cc9d3da821eb20423a9c221fa9d48852d055e9402b28cab2fa

        SHA512

        7a3bdc55054840d819fc4fc18d03fc906f976efac883990a49c0c987179ddc9378ca63ef865e2203614572b83e7a4acc981ce6da795154fba837dfb09ae5c4b1

        Download Submit

      • \??\c:\Windows\System32\CSC3DDE4E4B38D4944B832EAFD514EB3.TMP
        Filesize

        1KB

        MD5

        60a1ebb8f840aad127346a607d80fc19

        SHA1

        c8b7e9ad601ac19ab90b3e36f811960e8badf354

        SHA256

        9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

        SHA512

        44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

        Download Submit

      • memory/1544-86-0x0000000000B90000-0x0000000000C62000-memory.dmp

        Filesize

        840KB

        Download

      • memory/2092-10-0x00000000003C0000-0x00000000003D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2092-8-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-13-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-15-0x0000000000260000-0x000000000026E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2092-16-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-20-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-19-0x0000000000380000-0x000000000038C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2092-17-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-28-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-11-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-12-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-7-0x00000000003A0000-0x00000000003BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2092-5-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-45-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-46-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-4-0x0000000000250000-0x000000000025E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2092-1-0x0000000000AE0000-0x0000000000BB2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/2092-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2092-82-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2284-83-0x00000000023E0000-0x00000000023E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2456-80-0x000000001B230000-0x000000001B512000-memory.dmp

        Filesize

        2.9MB

        Download