dcrat | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
106s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26d7a764816fad6183d06a6fc996857.exe
Size

984KB
MD5

f26d7a764816fad6183d06a6fc996857
SHA1

ab68307f5b1f1fbe0c99fcbed2b6d6ee3f596409
SHA256

dd6f503f280cc68627a4ef5082596457d1e608d0aef4a7f0d33e0640e520b81e
SHA512

d3b46e095ceb3cd56975c27708726d6d07a96c7c58aa3273630bfac596608eb868061655177140aef74e71728cd51427a91a9a36fbb4d4cbb2f1fc3c6c50ddfe
SSDEEP

12288:rzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:rzZvuGD2PvA5YxwmbZB6Uv

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	f26d7a764816fad6183d06a6fc996857.exe

Executes dropped EXE 1 IoCs

pid	Process
1408	f26d7a764816fad6183d06a6fc996857.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\termsrv\\fontdrvhost.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\spoolsv.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\0\\RuntimeBroker.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f26d7a764816fad6183d06a6fc996857 = "\"C:\\Recovery\\WindowsRE\\f26d7a764816fad6183d06a6fc996857.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\KBDMONMO\\fontdrvhost.exe\""	f26d7a764816fad6183d06a6fc996857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	f26d7a764816fad6183d06a6fc996857.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\termsrv\fontdrvhost.exe	f26d7a764816fad6183d06a6fc996857.exe
File created	C:\Windows\System32\termsrv\5b884080fd4f94	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\System32\KBDMONMO\RCX8821.tmp	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\System32\KBDMONMO\fontdrvhost.exe	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\System32\termsrv\RCX8E9C.tmp	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\System32\termsrv\fontdrvhost.exe	f26d7a764816fad6183d06a6fc996857.exe
File created	C:\Windows\System32\KBDMONMO\fontdrvhost.exe	f26d7a764816fad6183d06a6fc996857.exe
File created	C:\Windows\System32\KBDMONMO\5b884080fd4f94	f26d7a764816fad6183d06a6fc996857.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	f26d7a764816fad6183d06a6fc996857.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\RCX81F3.tmp	f26d7a764816fad6183d06a6fc996857.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	f26d7a764816fad6183d06a6fc996857.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	f26d7a764816fad6183d06a6fc996857.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5352	schtasks.exe
3704	schtasks.exe
968	schtasks.exe
4228	schtasks.exe
2376	schtasks.exe
2696	schtasks.exe
3712	schtasks.exe
216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1964	f26d7a764816fad6183d06a6fc996857.exe
1964	f26d7a764816fad6183d06a6fc996857.exe
1964	f26d7a764816fad6183d06a6fc996857.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	f26d7a764816fad6183d06a6fc996857.exe
Token: SeDebugPrivilege	1408	f26d7a764816fad6183d06a6fc996857.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2268	1964	f26d7a764816fad6183d06a6fc996857.exe	102
PID 1964 wrote to memory of 2268	1964	f26d7a764816fad6183d06a6fc996857.exe	102
PID 2268 wrote to memory of 3496	2268	cmd.exe	104
PID 2268 wrote to memory of 3496	2268	cmd.exe	104
PID 2268 wrote to memory of 1408	2268	cmd.exe	110
PID 2268 wrote to memory of 1408	2268	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe
"C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UWTsAvnYB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3496
- - C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe
    "C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f26d7a764816fad6183d06a6fc996857" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDMONMO\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\termsrv\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f26d7a764816fad6183d06a6fc996857.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UWTsAvnYB.bat

Filesize
222B

MD5
c95e0d61725d851f379e434ba21faf03

SHA1
aaed4fa39b5e39cc580c4f3fa59f9560da222624

SHA256
b017b9738b55aca533ca8cf795d5160aea70a777987dd695d20b663db032bf4f

SHA512
2332dcc1f0a9e54b55f2d3c555c2726d4440b7a599e2dd0327126b9e3186f84b85c2b747319330f8a2c11ea3bdc367741b29fcb7a7bb3b35274a6ffbbacf1099

Download Submit
C:\Windows\System32\KBDMONMO\fontdrvhost.exe

Filesize
984KB

MD5
f26d7a764816fad6183d06a6fc996857

SHA1
ab68307f5b1f1fbe0c99fcbed2b6d6ee3f596409

SHA256
dd6f503f280cc68627a4ef5082596457d1e608d0aef4a7f0d33e0640e520b81e

SHA512
d3b46e095ceb3cd56975c27708726d6d07a96c7c58aa3273630bfac596608eb868061655177140aef74e71728cd51427a91a9a36fbb4d4cbb2f1fc3c6c50ddfe

Download Submit
memory/1408-96-0x000000001B9A0000-0x000000001B9B2000-memory.dmp

Filesize
72KB

Download
memory/1964-11-0x000000001BFD0000-0x000000001C4F8000-memory.dmp

Filesize
5.2MB

Download
memory/1964-6-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1964-8-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/1964-12-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/1964-0-0x00007FFE95723000-0x00007FFE95725000-memory.dmp

Filesize
8KB

Download
memory/1964-9-0x0000000002830000-0x000000000283C000-memory.dmp

Filesize
48KB

Download
memory/1964-7-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1964-10-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/1964-5-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/1964-4-0x000000001B780000-0x000000001B7D0000-memory.dmp

Filesize
320KB

Download
memory/1964-91-0x00007FFE95720000-0x00007FFE961E1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-3-0x00000000027F0000-0x000000000280C000-memory.dmp

Filesize
112KB

Download
memory/1964-2-0x00007FFE95720000-0x00007FFE961E1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-1-0x00000000004C0000-0x00000000005BC000-memory.dmp

Filesize
1008KB

Download