Overview

overview

10

Static

static

10

DCRatBuild.exe

windows7-x64

10

DCRatBuild.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.1MB

  • MD5

    7a9b75201612cbddbd7306ad838b7702

  • SHA1

    3e933e2963ea93327b484a7fb35edeb8e70b5825

  • SHA256

    a96f478eaccaa6f24f94f782f2e65717ce87a2ed8c6e43bdb48dd9f4d83a5f75

  • SHA512

    2de8b99ff6223c0fe5802aa46a2c8f004ae2d3cf614663861857f360eb78fb93903e5210f8022358416495f18b28b9fe3c2b99c5386b170f36f92c16f818c17a

  • SSDEEP

    24576:U2G/nvxW3Ww0tJjFQ+qTLRr61LjemLSAN0+KleGpi:UbA30RwRXo/NolG

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5272
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Bridgemsblockcomponentperf\componentwebsession.exe
          "C:\Bridgemsblockcomponentperf\componentwebsession.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4WjepjhOD.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4180
              • C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe
                "C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Bridgemsblockcomponentperf\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Bridgemsblockcomponentperf\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Bridgemsblockcomponentperf\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Bridgemsblockcomponentperf\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4880
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\WaaSMedicAgent.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\WaaSMedicAgent.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Bridgemsblockcomponentperf\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Bridgemsblockcomponentperf\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:6080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1232
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat
      Filesize

      55B

      MD5

      8f7257c5f547039c68750c858b05a0ce

      SHA1

      1c222f1fa6a871cdb8d8bf90ab5d2f8f0b64e0ee

      SHA256

      2d925c9f62648aaf46b91efb3e63e6eb49dbcdbebf85acd9886ce71d001cb504

      SHA512

      eaaf6cd27c1d10afdcefafaa4f488ff0121a966ceb67821fcffac777a27b394a431dac44f953dc868bf8db42e420e8e37ca05717ce65cb711085059dded718af

      Download Submit

    • C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe
      Filesize

      221B

      MD5

      372a1fd5b0a18b5d2c8433868b80409f

      SHA1

      9460aeae733aca6a42a1b45ad5684cab9cbddef5

      SHA256

      e511fb9d01a3955c024250db45725d631ced31d74b96525c11dc46ac79613fa7

      SHA512

      910646531fcb860b91ea656c73a66981eb3c1f10d20e5dbb0fbd4ede6541abae11bd3a18daee519b53cd370f94d0262f51ddca642e6e1af5e7955b824611e278

      Download Submit

    • C:\Bridgemsblockcomponentperf\componentwebsession.exe
      Filesize

      829KB

      MD5

      9ec0d74bdb80b5c29ff2d930c22ba856

      SHA1

      f58ca771c957db21e5fd41c4ea2d0563e3b876c8

      SHA256

      c5750aada53c6a8c0f2214e463e960ac582c2c27a5b4e33bf52fee513b39607c

      SHA512

      1a43ef0e869c7657ae2236164ad09c64a05b1cf94ef44addddcd94015c455ee263f1bf1c3ec24fe44b99d6c8c8f9b746d13b3fe510364670f7c3edf7299367b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\J4WjepjhOD.bat
      Filesize

      218B

      MD5

      1a49465e7a44d7c5e5805a46e4b9a053

      SHA1

      3c811d06cc90730dbeab2ec71801b06f59dcd3eb

      SHA256

      628e6afec718c71a7177d6e62cfb7092edbb7be638adf17ca404ffa41ae950aa

      SHA512

      95a905ce8ad76dcad8bfdb52f232893be34402bb520c4dfe4c41ae9bfcc7a43a82cff7f0cab345c2be9984eac438057dc4f7c8f69e8c52286693d9e8d8daea00

      Download Submit

    • memory/4840-12-0x00007FF98B623000-0x00007FF98B625000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4840-13-0x0000000000690000-0x0000000000766000-memory.dmp

      Filesize

      856KB

      Download