dcrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
102s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35459ca7521a8565cf4acaadd346537b.exe
Size

984KB
MD5

35459ca7521a8565cf4acaadd346537b
SHA1

c22ce5beb121ecbba910dec28dedc0781d379524
SHA256

9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb
SHA512

691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1
SSDEEP

12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5728	schtasks.exe
		2300	schtasks.exe
		4060	schtasks.exe
File created	C:\Windows\System32\Microsoft.Uev.ModernAppAgent\e1ef82546f0b02		35459ca7521a8565cf4acaadd346537b.exe
		3104	schtasks.exe
		4948	schtasks.exe
		3592	schtasks.exe
		3092	schtasks.exe
		3116	schtasks.exe
		1380	schtasks.exe
		2460	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2912	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2912	schtasks.exe	87

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	35459ca7521a8565cf4acaadd346537b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	35459ca7521a8565cf4acaadd346537b.exe

Executes dropped EXE 2 IoCs

pid	Process
3764	35459ca7521a8565cf4acaadd346537b.exe
5188	lsass.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WsmSvc\\dllhost.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\C_28597\\winlogon.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\PowerPolicyProvider\\unsecapp.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\dot3gpui\\fontdrvhost.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ExSMime\\taskhostw.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Microsoft.Uev.ModernAppAgent\\SppExtComObj.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\C_10003\\RuntimeBroker.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\win\\explorer.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Videos\\wininit.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\d2d1\\lsass.exe\""	35459ca7521a8565cf4acaadd346537b.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\System32\WsmSvc\5940a34987c991	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\C_28597\winlogon.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\C_10003\RCX8EB7.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\wbem\PowerPolicyProvider\unsecapp.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\d2d1\6203df4a6bafc7	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\Microsoft.Uev.ModernAppAgent\SppExtComObj.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\C_28597\cc11b995f2a76d	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\wbem\PowerPolicyProvider\unsecapp.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\C_28597\RCX8CB2.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\C_10003\RuntimeBroker.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\dot3gpui\5b884080fd4f94	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\Microsoft.Uev.ModernAppAgent\e1ef82546f0b02	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\C_10003\9e8d7a4ca61bd9	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\WsmSvc\dllhost.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\ExSMime\ea9f0e6c9e2dcd	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\Microsoft.Uev.ModernAppAgent\RCX88A9.tmp	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\Microsoft.Uev.ModernAppAgent\SppExtComObj.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\WsmSvc\dllhost.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\wbem\PowerPolicyProvider\29c1c3cc0f7685	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\d2d1\lsass.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\ExSMime\taskhostw.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\WsmSvc\RCX8AAE.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\dot3gpui\fontdrvhost.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\d2d1\lsass.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\ExSMime\taskhostw.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\C_28597\winlogon.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\C_10003\RuntimeBroker.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\wbem\PowerPolicyProvider\RCX932E.tmp	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\dot3gpui\fontdrvhost.exe	35459ca7521a8565cf4acaadd346537b.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\win\explorer.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\win\7a0fd90576e088	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\win\RCX90BC.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\win\explorer.exe	35459ca7521a8565cf4acaadd346537b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	35459ca7521a8565cf4acaadd346537b.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	35459ca7521a8565cf4acaadd346537b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4948	schtasks.exe
2460	schtasks.exe
2300	schtasks.exe
3104	schtasks.exe
3592	schtasks.exe
1380	schtasks.exe
3116	schtasks.exe
3092	schtasks.exe
5728	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1312	35459ca7521a8565cf4acaadd346537b.exe
1312	35459ca7521a8565cf4acaadd346537b.exe
1312	35459ca7521a8565cf4acaadd346537b.exe
3764	35459ca7521a8565cf4acaadd346537b.exe
3764	35459ca7521a8565cf4acaadd346537b.exe
3764	35459ca7521a8565cf4acaadd346537b.exe
3764	35459ca7521a8565cf4acaadd346537b.exe
3764	35459ca7521a8565cf4acaadd346537b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	35459ca7521a8565cf4acaadd346537b.exe
Token: SeDebugPrivilege	3764	35459ca7521a8565cf4acaadd346537b.exe
Token: SeDebugPrivilege	5188	lsass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3764	1312	35459ca7521a8565cf4acaadd346537b.exe	98
PID 1312 wrote to memory of 3764	1312	35459ca7521a8565cf4acaadd346537b.exe	98
PID 3764 wrote to memory of 5700	3764	35459ca7521a8565cf4acaadd346537b.exe	104
PID 3764 wrote to memory of 5700	3764	35459ca7521a8565cf4acaadd346537b.exe	104
PID 5700 wrote to memory of 408	5700	cmd.exe	106
PID 5700 wrote to memory of 408	5700	cmd.exe	106
PID 5700 wrote to memory of 5188	5700	cmd.exe	109
PID 5700 wrote to memory of 5188	5700	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe
"C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe
  "C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\49Q9cyPin3.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5700
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:408
  - - C:\Windows\System32\d2d1\lsass.exe
      "C:\Windows\System32\d2d1\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft.Uev.ModernAppAgent\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WsmSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\C_28597\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\C_10003\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\win\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PowerPolicyProvider\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\dot3gpui\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\d2d1\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\ExSMime\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\35459ca7521a8565cf4acaadd346537b.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\49Q9cyPin3.bat

Filesize
198B

MD5
ae9254cb3d83c4af5eae743b1af655ab

SHA1
979bacb713ece05d2ac36f86cb77f50f552f8090

SHA256
067ea9042fe76707959f0b0411006b73237082d2fb6f54281b17546aa8e390ad

SHA512
42afe1251d085bf00a47d8f589a46c180c9d597a242fe66690e8879986a4634a5cc7674b2226cb7d57d5505ce6c765d6bfe399fb88a5426d47abe0145dfc2bd7

Download Submit
C:\Windows\win\explorer.exe

Filesize
984KB

MD5
35459ca7521a8565cf4acaadd346537b

SHA1
c22ce5beb121ecbba910dec28dedc0781d379524

SHA256
9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb

SHA512
691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1

Download Submit
memory/1312-6-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/1312-10-0x000000001B3A0000-0x000000001B3B2000-memory.dmp

Filesize
72KB

Download
memory/1312-4-0x000000001B3E0000-0x000000001B430000-memory.dmp

Filesize
320KB

Download
memory/1312-7-0x000000001AE60000-0x000000001AE68000-memory.dmp

Filesize
32KB

Download
memory/1312-8-0x000000001AE70000-0x000000001AE80000-memory.dmp

Filesize
64KB

Download
memory/1312-0-0x00007FFCD28A3000-0x00007FFCD28A5000-memory.dmp

Filesize
8KB

Download
memory/1312-9-0x000000001B390000-0x000000001B39C000-memory.dmp

Filesize
48KB

Download
memory/1312-5-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/1312-11-0x000000001BBE0000-0x000000001C108000-memory.dmp

Filesize
5.2MB

Download
memory/1312-12-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

Filesize
48KB

Download
memory/1312-3-0x000000001AE40000-0x000000001AE5C000-memory.dmp

Filesize
112KB

Download
memory/1312-2-0x00007FFCD28A0000-0x00007FFCD3361000-memory.dmp

Filesize
10.8MB

Download
memory/1312-71-0x00007FFCD28A0000-0x00007FFCD3361000-memory.dmp

Filesize
10.8MB

Download
memory/1312-1-0x0000000000130000-0x000000000022C000-memory.dmp

Filesize
1008KB

Download
memory/5188-96-0x000000001CB60000-0x000000001CB72000-memory.dmp

Filesize
72KB

Download