dcrat | 525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
131s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c79c2f450da5e97631c33ddce170bb4.exe
Size

999KB
MD5

6c79c2f450da5e97631c33ddce170bb4
SHA1

b0356c1821709ae9a5fd99e6573125fc8b58f2b4
SHA256

152965f868c6784be4f3845d34c32e9159566067bd8a7265d57c7a7003c24c75
SHA512

1372d8e9aced9e4f6e1ae0f7ec503e7e956028f59ec3ee7b9e5109938e8683d8eaae2a82b729640d21164a12b2cbeed2cf991d5c1feaa8bda2ece21887b1a757
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\dfe2e59cddd00040f555dab607351a1d\\unsecapp.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\dfe2e59cddd00040f555dab607351a1d\\unsecapp.exe\", \"C:\\Users\\Default\\PrintHood\\SearchApp.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\dfe2e59cddd00040f555dab607351a1d\\unsecapp.exe\", \"C:\\Users\\Default\\PrintHood\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\dfe2e59cddd00040f555dab607351a1d\\unsecapp.exe\", \"C:\\Users\\Default\\PrintHood\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\6c79c2f450da5e97631c33ddce170bb4.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe

Process spawned unexpected child process 16 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3424	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3424	schtasks.exe	87

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	6c79c2f450da5e97631c33ddce170bb4.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	6c79c2f450da5e97631c33ddce170bb4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\dfe2e59cddd00040f555dab607351a1d\\unsecapp.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\PrintHood\\SearchApp.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c79c2f450da5e97631c33ddce170bb4 = "\"C:\\Recovery\\WindowsRE\\6c79c2f450da5e97631c33ddce170bb4.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	6c79c2f450da5e97631c33ddce170bb4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
4940	schtasks.exe
2472	schtasks.exe
4928	schtasks.exe
4412	schtasks.exe
4016	schtasks.exe
2340	schtasks.exe
4608	schtasks.exe
5032	schtasks.exe
4560	schtasks.exe
3980	schtasks.exe
3852	schtasks.exe
1080	schtasks.exe
788	schtasks.exe
2460	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe
1968	6c79c2f450da5e97631c33ddce170bb4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	6c79c2f450da5e97631c33ddce170bb4.exe
Token: SeDebugPrivilege	1860	6c79c2f450da5e97631c33ddce170bb4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 5056	1968	6c79c2f450da5e97631c33ddce170bb4.exe	104
PID 1968 wrote to memory of 5056	1968	6c79c2f450da5e97631c33ddce170bb4.exe	104
PID 5056 wrote to memory of 2044	5056	cmd.exe	106
PID 5056 wrote to memory of 2044	5056	cmd.exe	106
PID 5056 wrote to memory of 1860	5056	cmd.exe	107
PID 5056 wrote to memory of 1860	5056	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c79c2f450da5e97631c33ddce170bb4.exe
"C:\Users\Admin\AppData\Local\Temp\6c79c2f450da5e97631c33ddce170bb4.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ecvseUlTjF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2044
- - C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe
    "C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONSTART /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONSTART /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc ONSTART /tr "'C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb46" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\6c79c2f450da5e97631c33ddce170bb4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sihost.exe

Filesize
999KB

MD5
cffed27d04ca985f9c292f38cf87a0bd

SHA1
0f8536fb9838e17c8da6de513731885904997eb6

SHA256
86c7de9725da7c3f33b5fc2cacd68df1f18e6c13f7c6b48d5bfe9206f3047856

SHA512
a95ff75cf44aaa229b9b297ec91599630f4800987efc43a049cbbcd2442dbf96495ed7af1e38af9e3b2ab69b9605641e5ed863f22d105143b3f7706970760874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6c79c2f450da5e97631c33ddce170bb4.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX660E.tmp

Filesize
999KB

MD5
6c79c2f450da5e97631c33ddce170bb4

SHA1
b0356c1821709ae9a5fd99e6573125fc8b58f2b4

SHA256
152965f868c6784be4f3845d34c32e9159566067bd8a7265d57c7a7003c24c75

SHA512
1372d8e9aced9e4f6e1ae0f7ec503e7e956028f59ec3ee7b9e5109938e8683d8eaae2a82b729640d21164a12b2cbeed2cf991d5c1feaa8bda2ece21887b1a757

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecvseUlTjF.bat

Filesize
222B

MD5
006e9ca28c82a2276f7115e75f1ea6cb

SHA1
9be54e2cf2cc866ad30d604921961363f3793e5a

SHA256
5fe56db9581353ce436e1990c77da1d416e13bcbdb13432082369f61694b6d2d

SHA512
99946e4fd49380fd5be55cbf132d4f330fdfbc1a4f479a4172f63c2ecdc8c03d4b00e5c0781d07ebce016de871593e24f7ca48772ab11190df4d7ed43f759b82

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe

Filesize
999KB

MD5
389a3f66abfeff9ab16506e469e659fc

SHA1
962f3760ea1fe93d93f452b565a0f3c63ebe431c

SHA256
9e18dcadcea35d907195bdec0592bb02a7f6e05b70b87a252d1f967d672b6682

SHA512
d52fd60d2ac37e830f585b617ef85797b6b646c451f52b485284facd00e50c7d2efd958f81684ada4b153d6a83f71cf344711ca788799714a7a0b4cc554243a6

Download Submit
memory/1968-4-0x000000001B730000-0x000000001B780000-memory.dmp

Filesize
320KB

Download
memory/1968-7-0x000000001B160000-0x000000001B170000-memory.dmp

Filesize
64KB

Download
memory/1968-6-0x000000001B150000-0x000000001B160000-memory.dmp

Filesize
64KB

Download
memory/1968-8-0x000000001B170000-0x000000001B17C000-memory.dmp

Filesize
48KB

Download
memory/1968-10-0x000000001B6F0000-0x000000001B6FC000-memory.dmp

Filesize
48KB

Download
memory/1968-9-0x000000001B6E0000-0x000000001B6EE000-memory.dmp

Filesize
56KB

Download
memory/1968-11-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/1968-5-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/1968-0-0x00007FFD9AE13000-0x00007FFD9AE15000-memory.dmp

Filesize
8KB

Download
memory/1968-3-0x00000000026F0000-0x000000000270C000-memory.dmp

Filesize
112KB

Download
memory/1968-2-0x00007FFD9AE10000-0x00007FFD9B8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1968-78-0x00007FFD9AE10000-0x00007FFD9B8D1000-memory.dmp

Filesize
10.8MB

Download
memory/1968-1-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download