dcrat | 20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

Analysis

max time kernel
122s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WmiPrvSE.exe
Size

1.8MB
MD5

b5c4fa68d74ab47092a46241d6b10a16
SHA1

e754f10c51933c1ef98782fbf695e8f21198fe7e
SHA256

20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a
SHA512

3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293
SSDEEP

24576:xoGjZgFKRWhFSJVRNkiPmfqbvi5iqOlK565cvugnpQS2/DS7w0KksrSTkdu+vNph:xav+RxbvikJj4npQS2/DSs6YVz7sD

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2188	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2188	schtasks.exe	31

Executes dropped EXE 1 IoCs

pid	Process
1696	WmiPrvSE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe	WmiPrvSE.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\24dbde2999530e	WmiPrvSE.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	WmiPrvSE.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	WmiPrvSE.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\886983d96e3d3e	WmiPrvSE.exe
File created	C:\Windows\Cursors\System.exe	WmiPrvSE.exe
File opened for modification	C:\Windows\Cursors\System.exe	WmiPrvSE.exe
File created	C:\Windows\Cursors\27d1bcfc3c54e0	WmiPrvSE.exe
File created	C:\Windows\L2Schemas\csrss.exe	WmiPrvSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2384	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2384	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2412	schtasks.exe
2096	schtasks.exe
1196	schtasks.exe
1356	schtasks.exe
2032	schtasks.exe
2800	schtasks.exe
1664	schtasks.exe
2828	schtasks.exe
1256	schtasks.exe
2112	schtasks.exe
2012	schtasks.exe
1940	schtasks.exe
2924	schtasks.exe
2940	schtasks.exe
2988	schtasks.exe
2820	schtasks.exe
1548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	WmiPrvSE.exe
Token: SeDebugPrivilege	1696	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2960	2568	WmiPrvSE.exe	50
PID 2568 wrote to memory of 2960	2568	WmiPrvSE.exe	50
PID 2568 wrote to memory of 2960	2568	WmiPrvSE.exe	50
PID 2960 wrote to memory of 852	2960	cmd.exe	52
PID 2960 wrote to memory of 852	2960	cmd.exe	52
PID 2960 wrote to memory of 852	2960	cmd.exe	52
PID 2960 wrote to memory of 2384	2960	cmd.exe	53
PID 2960 wrote to memory of 2384	2960	cmd.exe	53
PID 2960 wrote to memory of 2384	2960	cmd.exe	53
PID 2960 wrote to memory of 1696	2960	cmd.exe	54
PID 2960 wrote to memory of 1696	2960	cmd.exe	54
PID 2960 wrote to memory of 1696	2960	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\85cqTPWTP4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:852
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2384
- - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
    "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Cursors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\1033\csrss.exe

Filesize
1.8MB

MD5
b5c4fa68d74ab47092a46241d6b10a16

SHA1
e754f10c51933c1ef98782fbf695e8f21198fe7e

SHA256
20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

SHA512
3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

Download Submit
C:\Users\Admin\AppData\Local\Temp\85cqTPWTP4.bat

Filesize
201B

MD5
ae8150c38375eebdc1dad0a2ee2ada76

SHA1
0ccdb8a04440f833aca15590a802a7bc6ab4852e

SHA256
1f5142ee498ada1a2ad2cf78deb9537c3ced50e82730231ec857398d42233126

SHA512
6223eae91ba1b2116e555944563921bc2a3cfa0da8e25ea331b63e6ff38ae8a85904f5c784fcd352fde6f02770bcc0e498472969a7d308a7b859217c94ea7be5

Download Submit
memory/1696-35-0x00000000002D0000-0x00000000004A2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-11-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-16-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-6-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2568-8-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2568-10-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/2568-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2568-15-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-4-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-25-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2568-26-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-2-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-32-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-1-0x0000000001050000-0x0000000001222000-memory.dmp

Filesize
1.8MB

Download