dcrat | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
1s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27603eafb6dd5000efc17b4d67e142aa.exe
Size

999KB
MD5

27603eafb6dd5000efc17b4d67e142aa
SHA1

bb6cfbad15876e4d37a7355618d6d29ab487245a
SHA256

cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67
SHA512

b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Users\\Default\\Favorites\\smss.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4308	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4308	schtasks.exe	86

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Multimedia Platform\\dllhost.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\Favorites\\smss.exe\""	27603eafb6dd5000efc17b4d67e142aa.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\dllhost.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	27603eafb6dd5000efc17b4d67e142aa.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\System.exe	27603eafb6dd5000efc17b4d67e142aa.exe
File created	C:\Windows\apppatch\27d1bcfc3c54e0	27603eafb6dd5000efc17b4d67e142aa.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5112	schtasks.exe
208	schtasks.exe
976	schtasks.exe
2708	schtasks.exe
3876	schtasks.exe
4040	schtasks.exe
676	schtasks.exe
4820	schtasks.exe
1200	schtasks.exe
516	schtasks.exe
3056	schtasks.exe
3516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4228	27603eafb6dd5000efc17b4d67e142aa.exe
4228	27603eafb6dd5000efc17b4d67e142aa.exe
4228	27603eafb6dd5000efc17b4d67e142aa.exe
4228	27603eafb6dd5000efc17b4d67e142aa.exe
4228	27603eafb6dd5000efc17b4d67e142aa.exe
4228	27603eafb6dd5000efc17b4d67e142aa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	27603eafb6dd5000efc17b4d67e142aa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe
"C:\Users\Admin\AppData\Local\Temp\27603eafb6dd5000efc17b4d67e142aa.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IFszAWFu0C.bat"
  2⤵
  PID:2344
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1424
- - C:\Windows\apppatch\System.exe
    "C:\Windows\apppatch\System.exe"
    3⤵
    PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\apppatch\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Windows\apppatch\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IFszAWFu0C.bat

Filesize
194B

MD5
bb42c2af3c2ac45f6232b3642ebf28b1

SHA1
373b785785754a473e479f7c1added0c1d941d08

SHA256
32f7ff50fa97b0953baeb4e35109a95db6745600b2223a991ce80b6ee5a8f7b1

SHA512
a450d1166b0e613bf139ebc82cae225fff2ccb66822cc8433b998c911a40956ff210df5f02c30c08749a54479eaabede4c1aad5028d425e0d3ce17e1628e905d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXEF62.tmp

Filesize
999KB

MD5
27603eafb6dd5000efc17b4d67e142aa

SHA1
bb6cfbad15876e4d37a7355618d6d29ab487245a

SHA256
cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67

SHA512
b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661

Download Submit
C:\Windows\apppatch\System.exe

Filesize
999KB

MD5
3cc8715af6da7ce1843c950e2c0d33b2

SHA1
fe864ba7621903e78dad3604a922b8b3ec56cb11

SHA256
2355d9e606f8a2a3427553d24c180038fd3937a4934a74d3374ef8b5b43bd16a

SHA512
2e03efa91abef7458a58eb6782cb965ba40d5dec19bb2241420d3c9f834be162ee80083bf43073dad10d069d99335afb9154b18acfc7108f4af068022bcdf32c

Download Submit
memory/2728-68-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/4228-5-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/4228-4-0x000000001B440000-0x000000001B490000-memory.dmp

Filesize
320KB

Download
memory/4228-7-0x000000001AED0000-0x000000001AEE0000-memory.dmp

Filesize
64KB

Download
memory/4228-6-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/4228-10-0x000000001B410000-0x000000001B41C000-memory.dmp

Filesize
48KB

Download
memory/4228-11-0x000000001B420000-0x000000001B42C000-memory.dmp

Filesize
48KB

Download
memory/4228-9-0x000000001B400000-0x000000001B40E000-memory.dmp

Filesize
56KB

Download
memory/4228-8-0x000000001B3F0000-0x000000001B3FC000-memory.dmp

Filesize
48KB

Download
memory/4228-1-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/4228-3-0x000000001AE90000-0x000000001AEAC000-memory.dmp

Filesize
112KB

Download
memory/4228-64-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/4228-2-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/4228-0-0x00007FFF7E163000-0x00007FFF7E165000-memory.dmp

Filesize
8KB

Download