dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99bf8880724cd8aa8da8dcf4b716be4b.exe
Size

984KB
MD5

99bf8880724cd8aa8da8dcf4b716be4b
SHA1

e680337915c7a5a85de7f89ec9bf5455cf3bc75f
SHA256

da677897f339e128512b323a559ed62e782b2115237bb1a0a8bd1092c2d5723f
SHA512

05f82864179d4cbe15cf474001c1696b3a7a9d705864a14d41254a04bc9c56c87804a508d3f139f3db8297b0c50f9bbe2358552a2a0e5218f41bb245abb87c9b
SSDEEP

12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\msdatsrc\dwm.exe		99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\msdatsrc\6cb0b6c459d5d3		99bf8880724cd8aa8da8dcf4b716be4b.exe
		2012	schtasks.exe
		2292	schtasks.exe
		2532	schtasks.exe
		2768	schtasks.exe
		2284	schtasks.exe
		2808	schtasks.exe
		2696	schtasks.exe
		2872	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1912	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1912	schtasks.exe	31

Executes dropped EXE 2 IoCs

pid	Process
2076	99bf8880724cd8aa8da8dcf4b716be4b.exe
2912	winlogon.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\msdatsrc\\dwm.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\simpdata\\smss.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\taskhost.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\hcproviders\\dwm.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\bcdboot\\dllhost.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\1033\\audiodg.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\WMVXENCD\\services.exe\""	99bf8880724cd8aa8da8dcf4b716be4b.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\System32\simpdata\69ddcba757bf72	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\simpdata\smss.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\hcproviders\dwm.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\bcdboot\5940a34987c991	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\msdatsrc\dwm.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\msdatsrc\RCXF0D5.tmp	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\simpdata\RCXF366.tmp	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\hcproviders\dwm.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\hcproviders\6cb0b6c459d5d3	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\WMVXENCD\c5b4cb5e9653cc	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\WMVXENCD\services.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\msdatsrc\6cb0b6c459d5d3	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\WMVXENCD\services.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\msdatsrc\dwm.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\simpdata\smss.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Windows\System32\bcdboot\dllhost.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Windows\System32\bcdboot\dllhost.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\audiodg.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\42af1c969fbb7b	99bf8880724cd8aa8da8dcf4b716be4b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\audiodg.exe	99bf8880724cd8aa8da8dcf4b716be4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2696	schtasks.exe
2012	schtasks.exe
2872	schtasks.exe
2292	schtasks.exe
2532	schtasks.exe
2768	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	99bf8880724cd8aa8da8dcf4b716be4b.exe
2076	99bf8880724cd8aa8da8dcf4b716be4b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	99bf8880724cd8aa8da8dcf4b716be4b.exe
Token: SeDebugPrivilege	2076	99bf8880724cd8aa8da8dcf4b716be4b.exe
Token: SeDebugPrivilege	2912	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2556	2324	99bf8880724cd8aa8da8dcf4b716be4b.exe	35
PID 2324 wrote to memory of 2556	2324	99bf8880724cd8aa8da8dcf4b716be4b.exe	35
PID 2324 wrote to memory of 2556	2324	99bf8880724cd8aa8da8dcf4b716be4b.exe	35
PID 2556 wrote to memory of 3060	2556	cmd.exe	37
PID 2556 wrote to memory of 3060	2556	cmd.exe	37
PID 2556 wrote to memory of 3060	2556	cmd.exe	37
PID 2556 wrote to memory of 2076	2556	cmd.exe	38
PID 2556 wrote to memory of 2076	2556	cmd.exe	38
PID 2556 wrote to memory of 2076	2556	cmd.exe	38
PID 2076 wrote to memory of 2000	2076	99bf8880724cd8aa8da8dcf4b716be4b.exe	44
PID 2076 wrote to memory of 2000	2076	99bf8880724cd8aa8da8dcf4b716be4b.exe	44
PID 2076 wrote to memory of 2000	2076	99bf8880724cd8aa8da8dcf4b716be4b.exe	44
PID 2000 wrote to memory of 2908	2000	cmd.exe	46
PID 2000 wrote to memory of 2908	2000	cmd.exe	46
PID 2000 wrote to memory of 2908	2000	cmd.exe	46
PID 2000 wrote to memory of 2912	2000	cmd.exe	47
PID 2000 wrote to memory of 2912	2000	cmd.exe	47
PID 2000 wrote to memory of 2912	2000	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99bf8880724cd8aa8da8dcf4b716be4b.exe
"C:\Users\Admin\AppData\Local\Temp\99bf8880724cd8aa8da8dcf4b716be4b.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mphSBFwIAh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\99bf8880724cd8aa8da8dcf4b716be4b.exe
    "C:\Users\Admin\AppData\Local\Temp\99bf8880724cd8aa8da8dcf4b716be4b.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DodJkl36Pl.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2908
    - - C:\Documents and Settings\winlogon.exe
        
        "C:\Documents and Settings\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\msdatsrc\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\simpdata\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\hcproviders\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\bcdboot\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\WMVXENCD\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DodJkl36Pl.bat

Filesize
202B

MD5
9ab51d9606f81c0eb52184e6f12c4f27

SHA1
9bb9589c1622306d075e6841738beb85fd6ac5c0

SHA256
aa17af06c0481374f70c4fa9f8f8139d151884694a8ef37965017038b795940a

SHA512
286f00ac1db954757b72bfd40d3bd5c8ca0c72bd1e2913cbfffc5473a76f205ac347f5099cb07ea1764af4ec505e97d5521b7a1bde73760ff247381a78a46f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\mphSBFwIAh.bat

Filesize
234B

MD5
cff98dd36e5290a054b03bd8d2a64f3c

SHA1
acd5f5ff4cb64e42a6c0032b65f37bf12d2b49f5

SHA256
1db151f5816633c66a3a381650b9db1179d3acf7b7f9c4498d8fdadd2d4cb976

SHA512
48abaa1dc8caac2b67373f4c882f22a1c9cb77ba53fd0ff34a84689415bdadcc5f62a0f95a38d4507539c4ae16a1652aea502a3134cee80480f0f52f11409c1b

Download Submit
C:\Windows\System32\msdatsrc\dwm.exe

Filesize
984KB

MD5
99bf8880724cd8aa8da8dcf4b716be4b

SHA1
e680337915c7a5a85de7f89ec9bf5455cf3bc75f

SHA256
da677897f339e128512b323a559ed62e782b2115237bb1a0a8bd1092c2d5723f

SHA512
05f82864179d4cbe15cf474001c1696b3a7a9d705864a14d41254a04bc9c56c87804a508d3f139f3db8297b0c50f9bbe2358552a2a0e5218f41bb245abb87c9b

Download Submit
memory/2076-48-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2076-47-0x00000000012D0000-0x00000000013CC000-memory.dmp

Filesize
1008KB

Download
memory/2324-8-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2324-6-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2324-7-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2324-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2324-9-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2324-10-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2324-5-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2324-44-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-4-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2324-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2324-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-1-0x0000000000AF0000-0x0000000000BEC000-memory.dmp

Filesize
1008KB

Download
memory/2912-76-0x0000000000A60000-0x0000000000B5C000-memory.dmp

Filesize
1008KB

Download