dcrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
104s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e435c9ff25f6dca4a3e7262825aa557.exe
Size

984KB
MD5

3e435c9ff25f6dca4a3e7262825aa557
SHA1

57cb6e337e1c91c2937544fdfa78d3704d2ff408
SHA256

db97ef403b3433d2cae1fc98d893d14e67b83a14e7d8e4e428152fde8d83d934
SHA512

00c0863dc6728e01cddb5c605d1210c0d1c2b7bf7b4e2426f61bb2b6eb4addb102c7ef5d46db693557b3e8dcf4d68a33ddcfe499713666afd05d986b5be9ebe8
SSDEEP

12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2296	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2296	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2296	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2296	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2296	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2296	schtasks.exe	87

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	3e435c9ff25f6dca4a3e7262825aa557.exe

Executes dropped EXE 1 IoCs

pid	Process
1512	services.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\navshutdown\\RuntimeBroker.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\services.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\winlogon.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\hid\\taskhostw.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\licensingdiag\\winlogon.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default User\\sihost.exe\""	3e435c9ff25f6dca4a3e7262825aa557.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\navshutdown\9e8d7a4ca61bd9	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\licensingdiag\RCX7F53.tmp	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\navshutdown\RCX837B.tmp	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\hid\RCX89F6.tmp	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\licensingdiag\winlogon.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Windows\System32\licensingdiag\cc11b995f2a76d	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Windows\System32\navshutdown\RuntimeBroker.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Windows\System32\hid\taskhostw.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Windows\System32\hid\ea9f0e6c9e2dcd	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\navshutdown\RuntimeBroker.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Windows\System32\hid\taskhostw.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Windows\System32\licensingdiag\winlogon.exe	3e435c9ff25f6dca4a3e7262825aa557.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\cc11b995f2a76d	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX8580.tmp	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe	3e435c9ff25f6dca4a3e7262825aa557.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX87F2.tmp	3e435c9ff25f6dca4a3e7262825aa557.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	3e435c9ff25f6dca4a3e7262825aa557.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe
2724	schtasks.exe
4476	schtasks.exe
4432	schtasks.exe
4580	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4352	3e435c9ff25f6dca4a3e7262825aa557.exe
4352	3e435c9ff25f6dca4a3e7262825aa557.exe
4352	3e435c9ff25f6dca4a3e7262825aa557.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	3e435c9ff25f6dca4a3e7262825aa557.exe
Token: SeDebugPrivilege	1512	services.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4776	4352	3e435c9ff25f6dca4a3e7262825aa557.exe	94
PID 4352 wrote to memory of 4776	4352	3e435c9ff25f6dca4a3e7262825aa557.exe	94
PID 4776 wrote to memory of 3444	4776	cmd.exe	96
PID 4776 wrote to memory of 3444	4776	cmd.exe	96
PID 4776 wrote to memory of 1512	4776	cmd.exe	100
PID 4776 wrote to memory of 1512	4776	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e435c9ff25f6dca4a3e7262825aa557.exe
"C:\Users\Admin\AppData\Local\Temp\3e435c9ff25f6dca4a3e7262825aa557.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cVFbq3E1J4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3444
- - C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\licensingdiag\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\navshutdown\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\hid\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe

Filesize
984KB

MD5
3e435c9ff25f6dca4a3e7262825aa557

SHA1
57cb6e337e1c91c2937544fdfa78d3704d2ff408

SHA256
db97ef403b3433d2cae1fc98d893d14e67b83a14e7d8e4e428152fde8d83d934

SHA512
00c0863dc6728e01cddb5c605d1210c0d1c2b7bf7b4e2426f61bb2b6eb4addb102c7ef5d46db693557b3e8dcf4d68a33ddcfe499713666afd05d986b5be9ebe8

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe

Filesize
984KB

MD5
6a4ccd5e0eb3afc38242402f16a066c0

SHA1
0df1305ab91b99b9b3123150e178aa99bf1401c8

SHA256
6e7e6651cc7b819c2ecb066f111a181bc4c56e64e51254b8d324c41dfbbf7d88

SHA512
5358194ead2c255939a8bddbb4ce64774aaf7e2e6ab04dcd3133532e182054c617a9ecd45faeef64f47dec21d65282118a36d89ceed5ec124846d2284cf5ed51

Download Submit
C:\Users\Admin\AppData\Local\Temp\cVFbq3E1J4.bat

Filesize
233B

MD5
fec38b3468416a435960bece94b362af

SHA1
db1c7582a9cd697b8c928a2263185140642b9a77

SHA256
ddd6f7fa8764f10d2e416e86f8a9137bde82cc95b6dc713946976741e8044301

SHA512
e158a300e9f7a2f02cc47ffe0cb29d18294288691cf0395514a95256fd7250aab7ea584007a4297ee27981804fb4e8bc3eec25c3f815f2a1b0108918a1eca441

Download Submit
memory/1512-78-0x0000000000C10000-0x0000000000D0C000-memory.dmp

Filesize
1008KB

Download
memory/4352-5-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4352-11-0x000000001C8C0000-0x000000001CDE8000-memory.dmp

Filesize
5.2MB

Download
memory/4352-9-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/4352-7-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/4352-0-0x00007FFB64BF3000-0x00007FFB64BF5000-memory.dmp

Filesize
8KB

Download
memory/4352-12-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/4352-8-0x000000001C080000-0x000000001C090000-memory.dmp

Filesize
64KB

Download
memory/4352-10-0x000000001C090000-0x000000001C0A2000-memory.dmp

Filesize
72KB

Download
memory/4352-4-0x000000001C0C0000-0x000000001C110000-memory.dmp

Filesize
320KB

Download
memory/4352-3-0x0000000003120000-0x000000000313C000-memory.dmp

Filesize
112KB

Download
memory/4352-6-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/4352-2-0x00007FFB64BF0000-0x00007FFB656B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-74-0x00007FFB64BF0000-0x00007FFB656B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-1-0x0000000000E20000-0x0000000000F1C000-memory.dmp

Filesize
1008KB

Download