Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    2.2MB

  • MD5

    f961009433ca2f3a302b6a7236bc7ef4

  • SHA1

    de9c950643db1fd43fd37d1f01db5d186a492244

  • SHA256

    b4b47571926c6fb637d7ca1f9ce6e171ab98f8d63f9efb89954ca9aa10c8260b

  • SHA512

    3637e15257a813ed87ad05ebc4fc28550c8440afe06e07205309c69f615e03f0cc7e318357fabe7951c729c56d079e188aad4b10e1e4feabf010e11e729875a1

  • SSDEEP

    49152:UbA30EQtOTsSj5tM1xb5fO7jR1SaZRX62:UbFCBjHgx1fsjR1ne2

Score
10/10
dcratdefense_evasiondiscoveryinfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\serverComponentDllcommon\bx6BMmKgSYwa72gSXp87543q080.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\serverComponentDllcommon\zRrwLBfNMV0sSxintCMs2hsAWOJU.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\serverComponentDllcommon\BlockCrtdll.exe
          "C:\serverComponentDllcommon\BlockCrtdll.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2792
          • C:\Windows\AppCompat\Programs\dwm.exe
            "C:\Windows\AppCompat\Programs\dwm.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2560
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\serverComponentDllcommon\bx6BMmKgSYwa72gSXp87543q080.vbe
    Filesize

    229B

    MD5

    d88322aff4ad78498de6b2f94849650b

    SHA1

    083dad97a0c0fb49bff2aafb71b3c2f1649b7874

    SHA256

    8ef333818cc91032a286af156d19dc2940e23349b59823fd321899b45411dff7

    SHA512

    8017b8704665def6102dc1a1ba09d6d2786ca3810160df40da980a839eff518d714bdc71677ffc3102ea60b51e034c134d78dec81d4ea69dd7ef2929055bddd7

    Download Submit

  • C:\serverComponentDllcommon\zRrwLBfNMV0sSxintCMs2hsAWOJU.bat
    Filesize

    45B

    MD5

    f1e21d43b8f7088bb04b918c5d374889

    SHA1

    3af9d153963b57f317b38d543e2d49d7e5f2b024

    SHA256

    0734a22e43a714e98295ec0cf6fa0b801dc7634b206533a219401a9f87444fc6

    SHA512

    8ae8c28afaa70cbbd5c0c7395855299402552c707b3c0e1ab1cf43adb643175ac5f69063a1a8433ab2db3eae2e6c992164478d8229e35814e41f116d797f3c3b

    Download Submit

  • \serverComponentDllcommon\BlockCrtdll.exe
    Filesize

    1.9MB

    MD5

    496e5e387972013c1cb840b3c950619a

    SHA1

    590ebfbeb19abe6209ce0fd443a4ddbf99bb6b06

    SHA256

    65c9c72f636b657567a6c266530e32fced0bd925862a8cb1a36f17ed2e5fcab9

    SHA512

    627852c5b9c5623d63af7e328350a12390df8dac076df5eb68e9d062af6e4b722b454f84385084f2010853c2af0a78b1ae7eab5a04e75a522308bc5d196ca064

    Download Submit

  • memory/2732-27-0x0000000000D80000-0x0000000000F6A000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2792-13-0x0000000000F20000-0x000000000110A000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2792-14-0x0000000000450000-0x000000000045A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2792-15-0x0000000000B70000-0x0000000000BC6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2792-16-0x0000000000460000-0x000000000046C000-memory.dmp

    Filesize

    48KB

    Download