dcrat | b2745f51ed35c1ecef03c466af5872c79a50cbf57f1b398c7c368f70c48dceac

Analysis

max time kernel
106s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DoxoGram.exe
Size

164.7MB
MD5

c3a81a9e5fafbb1c0d52befb0d4d5f70
SHA1

a22703fb5ea58a669189be756bea90b875b189e5
SHA256

b2745f51ed35c1ecef03c466af5872c79a50cbf57f1b398c7c368f70c48dceac
SHA512

96a78469b9730116cb5dc9e9ea9703d080e90a817da56fd557ad63faa59c54e74c683afa4dd32fa61cd504aa44616b5c3b9ea9151fc2eec589e5cc3cbfa9b525
SSDEEP

24576:zTbBv5rUdzf3fDhPCGgZrYLolvaongbHIBnS9JoLUIMxjqkUztx0/ceaEj1PtM:tBK/8aEgbQS9JoLUrxWlZx3ej

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2040	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2040	schtasks.exe	89

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	DoxoGram.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	serverHost.exe

Executes dropped EXE 2 IoCs

pid	Process
3832	serverHost.exe
2684	fontdrvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DoxoGram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1216	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	DoxoGram.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	serverHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1216	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4056	schtasks.exe
2472	schtasks.exe
1900	schtasks.exe
3184	schtasks.exe
4704	schtasks.exe
3360	schtasks.exe
2612	schtasks.exe
3556	schtasks.exe
4336	schtasks.exe
2596	schtasks.exe
2072	schtasks.exe
1212	schtasks.exe
876	schtasks.exe
60	schtasks.exe
848	schtasks.exe
4872	schtasks.exe
4536	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
3832	serverHost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe
2684	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	serverHost.exe
Token: SeDebugPrivilege	2684	fontdrvhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 3632	3692	DoxoGram.exe	87
PID 3692 wrote to memory of 3632	3692	DoxoGram.exe	87
PID 3692 wrote to memory of 3632	3692	DoxoGram.exe	87
PID 3632 wrote to memory of 3156	3632	WScript.exe	92
PID 3632 wrote to memory of 3156	3632	WScript.exe	92
PID 3632 wrote to memory of 3156	3632	WScript.exe	92
PID 3156 wrote to memory of 3832	3156	cmd.exe	94
PID 3156 wrote to memory of 3832	3156	cmd.exe	94
PID 3832 wrote to memory of 3868	3832	serverHost.exe	113
PID 3832 wrote to memory of 3868	3832	serverHost.exe	113
PID 3868 wrote to memory of 2064	3868	cmd.exe	115
PID 3868 wrote to memory of 2064	3868	cmd.exe	115
PID 3868 wrote to memory of 1216	3868	cmd.exe	116
PID 3868 wrote to memory of 1216	3868	cmd.exe	116
PID 3868 wrote to memory of 2684	3868	cmd.exe	118
PID 3868 wrote to memory of 2684	3868	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DoxoGram.exe
"C:\Users\Admin\AppData\Local\Temp\DoxoGram.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Driverdll\dH1riXXzIG5UP2X1C6xDLIwoX7zMYB6ggNk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Driverdll\AWLVdO3Dfq.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Driverdll\serverHost.exe
      "C:\Driverdll/serverHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9iRRngLbY4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2064
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1216
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Driverdll\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Driverdll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Driverdll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverHosts" /sc MINUTE /mo 6 /tr "'C:\Driverdll\serverHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverHost" /sc ONLOGON /tr "'C:\Driverdll\serverHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverHosts" /sc MINUTE /mo 12 /tr "'C:\Driverdll\serverHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Driverdll\AWLVdO3Dfq.bat

Filesize
67B

MD5
3e4f6ebe1be78aa56db81609d4f0fc5d

SHA1
a495cfbea37264374c1c41822383022f524819c8

SHA256
3ac1551fe1f8c9aae1ffb8a26abe9441c460da01d2e7fcdeea02eba46c21ccbf

SHA512
af67e170d11f91616c864b5a89b52148a4fab9e4a6db5ee081e013ff6050d915217d746726e4f590b512d64c39e58a1d5a7921a3cc540e2d6925a999739e0b40

Download Submit
C:\Driverdll\dH1riXXzIG5UP2X1C6xDLIwoX7zMYB6ggNk.vbe

Filesize
198B

MD5
0bfab865648ba5152d4aff3580210feb

SHA1
c15f7c4fc4b134ca0e967fe9e7cc57411d7db948

SHA256
0a0c7bb581404a9d8ad640e84b42fc008fc5f91d9eb7917b76687a4be5738729

SHA512
054fbf87702cecb2be4cade1291b61c6c3ddaf6ab12c2d1740fdf2da2c1f4953c72b1cde872204971cc78af2fc7f566d0185409d01bb6cab06929130c75c7e99

Download Submit
C:\Driverdll\serverHost.exe

Filesize
1.8MB

MD5
71e9f899f1aaf32792d9dd3c488ffcd9

SHA1
712e90f2f50c41f68eed8cebaee8b24575465edf

SHA256
da7d52e79731992107b572e4554174d183037d58ae8ad05988281ffbb12b3bd4

SHA512
2f1fb9b0fd55523dde63b946a087fa2d82105ba652f9231abaec2512485346da0be90518eb14e6f6c5f7bbb910b76f5029bcc4dbd26aa0ec3171c0539272582e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9iRRngLbY4.bat

Filesize
165B

MD5
428300664327a89f2f73921bc908bb71

SHA1
1a00520940a05b15b31f765d010bd2e8660b3253

SHA256
ae574ce1e71f0f2c34b163955ca5aadd95b28cdba9247cb06e2e5b36a6787f45

SHA512
508ee5da3427595c009c068492d5deb6c59623ba096bd2947ab929d924e5c77270eaf66b862e9416988991ff3aad449ae08921e95d000f34334eb865ba2db72b

Download Submit
memory/3832-12-0x00007FFBD8033000-0x00007FFBD8035000-memory.dmp

Filesize
8KB

Download
memory/3832-13-0x00000000009C0000-0x0000000000B92000-memory.dmp

Filesize
1.8MB

Download
memory/3832-15-0x000000001B7A0000-0x000000001B7AE000-memory.dmp

Filesize
56KB

Download
memory/3832-17-0x000000001B7D0000-0x000000001B7EC000-memory.dmp

Filesize
112KB

Download
memory/3832-18-0x000000001BB80000-0x000000001BBD0000-memory.dmp

Filesize
320KB

Download
memory/3832-20-0x000000001B7F0000-0x000000001B808000-memory.dmp

Filesize
96KB

Download