dcrat | d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
Size

1.9MB
MD5

b8ec608361912ca3c3eee53a31d482a3
SHA1

1c48c9d1e58f98fb778bebe88950350e12705070
SHA256

d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454
SHA512

442b548d094852b95695eca27f2a2e26acbb71b85a45ce8c17a192a10506076f7bb88216ab38790218e403b4305b84572b33de826623cf68a9a65abc87287bf6
SSDEEP

24576:MYAO3n8MjQTrnPQt62BYDA4yaOBGz62J8KROioT8t/ksGKQhum8dCVrHECa0WOID:MYrn7bT4yaOBu8KRON6JGKU7WOL

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\System.exe	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
File created	C:\Program Files\Uninstall Information\taskhostw.exe	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
File created	C:\Program Files\Uninstall Information\ea9f0e6c9e2dcd	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\Scenarios\sppsvc.exe	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
File created	C:\Windows\DiagTrack\Scenarios\0a1fd5f707cd16	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Music\upfc.exe	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Music\ea1d8f6d871115	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2216	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2216	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
Token: SeDebugPrivilege	2336	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 2392	3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe	85
PID 3764 wrote to memory of 2392	3764	d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe	85
PID 2392 wrote to memory of 3516	2392	cmd.exe	87
PID 2392 wrote to memory of 3516	2392	cmd.exe	87
PID 2392 wrote to memory of 2216	2392	cmd.exe	88
PID 2392 wrote to memory of 2216	2392	cmd.exe	88
PID 2392 wrote to memory of 2336	2392	cmd.exe	89
PID 2392 wrote to memory of 2336	2392	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
"C:\Users\Admin\AppData\Local\Temp\d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wcgGHqFXuD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3516
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe
    "C:\Users\Admin\AppData\Local\Temp\d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454.exe.log

Filesize
1KB

MD5
1eff74e45bb1f7104e691358cb209546

SHA1
253b13ffad516cc34704f5b882c6fa36953a953f

SHA256
7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

SHA512
44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcgGHqFXuD.bat

Filesize
230B

MD5
7ff3bcf685133d93c7c422d397d4e49b

SHA1
0a020b7041db13eb858adf6a18a7f3ea33b74d85

SHA256
414732d1e9cd0c7e89a2b67fdcadcd3f05d5f70ff564502b97804f3378857a3d

SHA512
ff92beb2b9e0be6fe0c607cd4fd53e8707d3e6a1129e28353cb8970ebe6676fbe5dc7803cde43c9216d87ad144ab87951fc73e8bdde77c6d27a9e427f66e512e

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Music\upfc.exe

Filesize
1.9MB

MD5
b8ec608361912ca3c3eee53a31d482a3

SHA1
1c48c9d1e58f98fb778bebe88950350e12705070

SHA256
d7b59ed6536dbccd08c10abf5c2064babac20666844909cf1fa94ce9159eb454

SHA512
442b548d094852b95695eca27f2a2e26acbb71b85a45ce8c17a192a10506076f7bb88216ab38790218e403b4305b84572b33de826623cf68a9a65abc87287bf6

Download Submit
memory/2336-50-0x000000001C1F0000-0x000000001C2BD000-memory.dmp

Filesize
820KB

Download
memory/3764-15-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-19-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/3764-9-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-8-0x0000000002980000-0x000000000299C000-memory.dmp

Filesize
112KB

Download
memory/3764-10-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/3764-12-0x00000000029A0000-0x00000000029B8000-memory.dmp

Filesize
96KB

Download
memory/3764-14-0x00000000027F0000-0x00000000027FC000-memory.dmp

Filesize
48KB

Download
memory/3764-17-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/3764-0-0x00007FFFC9993000-0x00007FFFC9995000-memory.dmp

Filesize
8KB

Download
memory/3764-6-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/3764-20-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-26-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-4-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-36-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-39-0x000000001B3C0000-0x000000001B48D000-memory.dmp

Filesize
820KB

Download
memory/3764-40-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-41-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-3-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-2-0x00007FFFC9990000-0x00007FFFCA451000-memory.dmp

Filesize
10.8MB

Download
memory/3764-1-0x0000000000440000-0x000000000062C000-memory.dmp

Filesize
1.9MB

Download