dcrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35459ca7521a8565cf4acaadd346537b.exe
Size

984KB
MD5

35459ca7521a8565cf4acaadd346537b
SHA1

c22ce5beb121ecbba910dec28dedc0781d379524
SHA256

9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb
SHA512

691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1
SSDEEP

12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2764	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2764	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
1204	services.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\Replicate\\Security\\explorer.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\iscsidsc\\sppsvc.exe\""	35459ca7521a8565cf4acaadd346537b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\Eap3Host\\csrss.exe\""	35459ca7521a8565cf4acaadd346537b.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\Eap3Host\csrss.exe	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\Eap3Host\csrss.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\Eap3Host\886983d96e3d3e	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\iscsidsc\sppsvc.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Windows\System32\iscsidsc\0a1fd5f707cd16	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\Eap3Host\RCXC6F8.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\iscsidsc\RCXD37C.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Windows\System32\iscsidsc\sppsvc.exe	35459ca7521a8565cf4acaadd346537b.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe	35459ca7521a8565cf4acaadd346537b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\1610b97d3ab4a7	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\RCXCD03.tmp	35459ca7521a8565cf4acaadd346537b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe	35459ca7521a8565cf4acaadd346537b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2464	schtasks.exe
1900	schtasks.exe
2624	schtasks.exe
2864	schtasks.exe
2932	schtasks.exe
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	35459ca7521a8565cf4acaadd346537b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	35459ca7521a8565cf4acaadd346537b.exe
Token: SeDebugPrivilege	1204	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2364	2916	35459ca7521a8565cf4acaadd346537b.exe	39
PID 2916 wrote to memory of 2364	2916	35459ca7521a8565cf4acaadd346537b.exe	39
PID 2916 wrote to memory of 2364	2916	35459ca7521a8565cf4acaadd346537b.exe	39
PID 2364 wrote to memory of 2900	2364	cmd.exe	41
PID 2364 wrote to memory of 2900	2364	cmd.exe	41
PID 2364 wrote to memory of 2900	2364	cmd.exe	41
PID 2364 wrote to memory of 1204	2364	cmd.exe	42
PID 2364 wrote to memory of 1204	2364	cmd.exe	42
PID 2364 wrote to memory of 1204	2364	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe
"C:\Users\Admin\AppData\Local\Temp\35459ca7521a8565cf4acaadd346537b.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38w6VOndbU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2900
- - C:\Documents and Settings\services.exe
    "C:\Documents and Settings\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\Eap3Host\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\iscsidsc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\explorer.exe

Filesize
984KB

MD5
35459ca7521a8565cf4acaadd346537b

SHA1
c22ce5beb121ecbba910dec28dedc0781d379524

SHA256
9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb

SHA512
691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\38w6VOndbU.bat

Filesize
202B

MD5
bc452b1563bd271a706481e424bd3794

SHA1
3c45dbe1c34afe965c7f4a0b913d9f4d78e4b298

SHA256
d87cd89c4dd7c3aed2169b3d187898383f438b96e4f5afe2e59abeb953a98d6b

SHA512
cc381452cb670bde10384d81d18a2f9561ab0dbc12084f70920487c132b2f702c03062fb9c013ffc6099486c9291c8b726e6252f2e1970c29bd240c81c24434c

Download Submit
memory/1204-84-0x0000000000E40000-0x0000000000F3C000-memory.dmp

Filesize
1008KB

Download
memory/2916-7-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2916-4-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2916-5-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2916-0-0x000007FEF67C3000-0x000007FEF67C4000-memory.dmp

Filesize
4KB

Download
memory/2916-6-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2916-8-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2916-9-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2916-10-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2916-3-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2916-80-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-2-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x0000000000360000-0x000000000045C000-memory.dmp

Filesize
1008KB

Download