dcrat | a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

Analysis

max time kernel
3s
max time network
1s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Size

1.8MB
MD5

7aeff3c38c61da155b557c651866241d
SHA1

5d17e805d332b43df01153884c040524cc150f4b
SHA256

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b
SHA512

364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e
SSDEEP

24576:N9US2Qh9vbixa8FAPOZEl2dQE98Kt7fgZizgXVWA1CiFoe9+Qoi8M3wfCI9GfkW2:N9LPOIK5ui8pciKi+QoW3wD9aFuH

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2728	schtasks.exe	30

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC60D1818450F44D4FAD6D7794DF710C.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\OSPPSVC.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Program Files\MSBuild\Microsoft\1610b97d3ab4a7	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2528	schtasks.exe
2608	schtasks.exe
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3056	2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 2496 wrote to memory of 3056	2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 2496 wrote to memory of 3056	2496	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 3056 wrote to memory of 2920	3056	csc.exe	36
PID 3056 wrote to memory of 2920	3056	csc.exe	36
PID 3056 wrote to memory of 2920	3056	csc.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qt4u4frz\qt4u4frz.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24DF.tmp" "c:\Windows\System32\CSC60D1818450F44D4FAD6D7794DF710C.TMP"
    3⤵
    PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.8MB

MD5
7aeff3c38c61da155b557c651866241d

SHA1
5d17e805d332b43df01153884c040524cc150f4b

SHA256
a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

SHA512
364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24DF.tmp

Filesize
1KB

MD5
d6a3551df599f190bbbb0eb6e692260e

SHA1
662244c67d55550ba9bb3594a99551595510f75f

SHA256
43185b2e6507ef45bbfada48da7bea52d300bb60713845efa12830704b50775d

SHA512
e58f247077afff79d97ed54db420c187a19c96ccc6d2600836c1255d43c46a7183c0280ffdbc409785ad81bb875ea7faabeb1e0cc80e45d04fc8c9e4dc0db7b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qt4u4frz\qt4u4frz.0.cs

Filesize
407B

MD5
59b15668d71ec72f09e485e24aa452c7

SHA1
a6e08e00715042d40270dc527ef5a66226e7fcfa

SHA256
215a09649d9d3834e395169d919878919a81858e292e4d3a3b8aeb77ee276939

SHA512
fc0299ce9463b73bdbd29c234d7472b2ee69f7a772e0d4182e2aeeb07d25eab80859dc52ebae3432efd4bdde8bc0a471582347cdbc2620f7c42ef6cdcc97490a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qt4u4frz\qt4u4frz.cmdline

Filesize
235B

MD5
5036e77fe097dc08acab0ab8ca2f88a2

SHA1
e8eef7b615cd1134aebd0913679e7fceeee96f03

SHA256
08bd658d2388bad5f0c6efc30834558f809ac8885876ee9f3412b4c38bb68e40

SHA512
6ec971dec115fb2fd34591be84daba2156379dcdbe54d8bb9bdb4833c953b7a99848f7a48e31c9788c566485c393924f732fff237e9b6d8e46b144cb42ee0105

Download Submit
\??\c:\Windows\System32\CSC60D1818450F44D4FAD6D7794DF710C.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
memory/2496-10-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2496-13-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/2496-8-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2496-11-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-15-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2496-16-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-7-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-6-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2496-28-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-4-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-3-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-1-0x0000000001390000-0x000000000156A000-memory.dmp

Filesize
1.9MB

Download