dcrat | a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

Analysis

max time kernel
5s
max time network
1s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Size

1.8MB
MD5

7aeff3c38c61da155b557c651866241d
SHA1

5d17e805d332b43df01153884c040524cc150f4b
SHA256

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b
SHA512

364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e
SSDEEP

24576:N9US2Qh9vbixa8FAPOZEl2dQE98Kt7fgZizgXVWA1CiFoe9+Qoi8M3wfCI9GfkW2:N9LPOIK5ui8pciKi+QoW3wD9aFuH

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2660	schtasks.exe	30

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBAD955D5A6824D20BE854E8545731A39.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\csrss.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Windows\Resources\Ease of Access Themes\886983d96e3d3e	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe
2492	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1400	2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 2940 wrote to memory of 1400	2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 2940 wrote to memory of 1400	2940	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	34
PID 1400 wrote to memory of 692	1400	csc.exe	36
PID 1400 wrote to memory of 692	1400	csc.exe	36
PID 1400 wrote to memory of 692	1400	csc.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fkhwcfe3\fkhwcfe3.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES816F.tmp" "c:\Windows\System32\CSCBAD955D5A6824D20BE854E8545731A39.TMP"
    3⤵
    PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES816F.tmp

Filesize
1KB

MD5
12b66486588f143c6a20b6fc0ca5fff7

SHA1
d65175f3105ca02c9447477bed0da6c33889dbf7

SHA256
41fdd1bc634ebaf4bcf0dd0e1dc6df620f0bf7e37d8990aba43bb1e970928610

SHA512
ba8ca723b73c80f33ac94517143bdd6ac648f7e353b1c17b9e272a052f22c6a99972076a9b6c9b9786d25e68e57abee54bb42fb49dbea39666f70461b7bba47d

Download Submit
C:\Windows\Resources\Ease of Access Themes\csrss.exe

Filesize
1.8MB

MD5
7aeff3c38c61da155b557c651866241d

SHA1
5d17e805d332b43df01153884c040524cc150f4b

SHA256
a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

SHA512
364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkhwcfe3\fkhwcfe3.0.cs

Filesize
384B

MD5
df7d09a698efeb7f05dcd163f949d9ab

SHA1
6ab5fa2c8d7899f62d424c958a3e3d2268bb4fe8

SHA256
9e61157f57733183e813c223152e639612214166f562fa863028011563df1d56

SHA512
2b6b71485a865cd194c54a5125a151c3fe65bca898b15af81118cb71edc1276ab1ce4dae15c189f523223b3e0332342d0724531d85e6fadc69f8dece8ddcb960

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkhwcfe3\fkhwcfe3.cmdline

Filesize
235B

MD5
326ed1fa2d8490406d88337411001d79

SHA1
54dc44a4cc9c5f878e5bc81be3b049fabd695b51

SHA256
afe10725fe26ec8f5a7e5d85e2dd2e4d74a8e2ca036715ec1d60b160d40c4d34

SHA512
834ca5afaca755bf0106fc711ab4addd9e5709e996228cff629295ef50d2b8fcaf2ff8e732006f195f397079f2e3cdab283bdbfef228075442087c1948de7ed4

Download Submit
\??\c:\Windows\System32\CSCBAD955D5A6824D20BE854E8545731A39.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/2940-13-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2940-15-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2940-6-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2940-11-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-10-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2940-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2940-16-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-8-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-18-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-7-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-29-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2940-30-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-4-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-3-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-1-0x0000000000A00000-0x0000000000BDA000-memory.dmp

Filesize
1.9MB

Download