Overview

overview

10

Static

static

10

DCRatBuild.exe

windows11-21h2-x64

10

Resubmissions

01-07-2024 00:40

240701-az927stfrj 10

01-07-2024 00:39

240701-az1tja1arh 10

Analysis

  • max time kernel
    114s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.9MB

  • MD5

    469d978118f1a8de4a1a5bb33bc81a93

  • SHA1

    295ce921008c39f1f3f0ac1e1ccde97ad5c0f12e

  • SHA256

    5b8f511ca8a386c382cd23b305d295ae406a9aae2392f7543de21d5d67c44ced

  • SHA512

    7d71ac9b37d6ca74339e6a7b8b08a72ba72b8f7fedce1ed6d80703eafb31dd4d5e70de4118cf719292cb3de9cb5f84b27b79492b95e890df143e0c5c295cbc44

  • SSDEEP

    49152:UbA307leyidFZE7vBekGuQ/kp129bxWEvd0:UbIyh70kF/p12A

Score
10/10
dcratevasioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
          "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:4156
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2264
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3280
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:2772
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:244
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:4804
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3696
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1996
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
        2⤵
          PID:2992
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
            3⤵
              PID:3032
              • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                4⤵
                  PID:2100
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                  4⤵
                  • Modifies registry key
                  PID:2260
          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
            "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
            1⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
              2⤵
                PID:1352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                  3⤵
                    PID:1524
                    • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                      "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                      4⤵
                        PID:5096
                      • C:\Windows\SysWOW64\reg.exe
                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        4⤵
                        • Modifies registry key
                        PID:3440
                • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
                  1⤵
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4624
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
                    2⤵
                      PID:1272
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                        3⤵
                          PID:400
                          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                            4⤵
                              PID:3548
                            • C:\Windows\SysWOW64\reg.exe
                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                              4⤵
                              • Modifies registry key
                              PID:2180
                      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                        "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
                        1⤵
                          PID:5036
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
                            2⤵
                              PID:772
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                                3⤵
                                  PID:4064
                                  • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                                    "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                                    4⤵
                                      PID:5032
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                      4⤵
                                      • Modifies registry key
                                      PID:4200
                              • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                                "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
                                1⤵
                                  PID:1660
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
                                    2⤵
                                      PID:3152
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                                        3⤵
                                          PID:1652
                                          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                                            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                                            4⤵
                                              PID:4612
                                            • C:\Windows\SysWOW64\reg.exe
                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                              4⤵
                                              • Modifies registry key
                                              PID:472
                                      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                                        "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
                                        1⤵
                                          PID:3436
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
                                            2⤵
                                              PID:4516
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                                                3⤵
                                                  PID:2212
                                                  • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                                                    "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                                                    4⤵
                                                      PID:3164
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                      4⤵
                                                      • Modifies registry key
                                                      PID:1332
                                              • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                                                "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
                                                1⤵
                                                  PID:3372
                                                  • C:\Windows\SysWOW64\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe"
                                                    2⤵
                                                      PID:4480
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat" "
                                                        3⤵
                                                          PID:3920
                                                          • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                                                            "C:\Windows\System32\WindowsUpdater32\WindowsUpdater.exe"
                                                            4⤵
                                                              PID:2952
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                              4⤵
                                                              • Modifies registry key
                                                              PID:2240

                                                      Network

                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                      Initial Access

                                                      Execution

                                                      Persistence

                                                      Privilege Escalation

                                                      Defense Evasion

                                                      Modify Registry

                                                      1
                                                      T1112

                                                      Credential Access

                                                      Discovery

                                                      System Information Discovery

                                                      1
                                                      T1082

                                                      Lateral Movement

                                                      Collection

                                                      Exfiltration

                                                      Command and Control

                                                      Impact

                                                      Resource Development

                                                      Reconnaissance

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsUpdater.exe.log
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        ba188ab8514b037519a2ada3cdeb9a05

                                                        SHA1

                                                        518b6ee233a773b20230ebc226d741961b9bfdb1

                                                        SHA256

                                                        25effb7a46427c841cf727d6445ed5d8bcd128fdf767080ec1e10dbc8a40bee7

                                                        SHA512

                                                        fa2ea4f92834e14c5e09ff81c286c1ae7da9de68748a4dcc68da1ee214632386a24b204f4bd6ea71f17ec30d1e0fe8cb456c0c95ee65a07b87c2bef89c6bff08

                                                        Download Submit
                                                      • C:\Windows\SysWOW64\WindowsUpdater32\3iwoWLhCbD6ud1McRS6K1aYy.vbe
                                                        Filesize

                                                        228B

                                                        MD5

                                                        63cb07f35d5f7618266afc925eb7de22

                                                        SHA1

                                                        d9b1164485d02481d9e6c9a1929f44b23e84474f

                                                        SHA256

                                                        22ae6afc678dfa9beda5327d65565ed745c3607869eb4a380ed6736e704b8b07

                                                        SHA512

                                                        578134e2ac3bd2f8585e9e8f645c000fbea4d520141004062aa0b22004fa7dfbc1a2fbef52fcd2a4e1cdeca5e915fea17b9ea1440a320139472e8807ff8efd64

                                                        Download Submit
                                                      • C:\Windows\SysWOW64\WindowsUpdater32\PaKX0sN2c4o6GpO5th.bat
                                                        Filesize

                                                        169B

                                                        MD5

                                                        d754dcc09774b935efb8c95cefee906f

                                                        SHA1

                                                        046d65d75216a74407496b906d7868dff07711cb

                                                        SHA256

                                                        8304d11a02ab7a806781f072013febd8d3c5ceba45a94a68d4fd6a7a931d0242

                                                        SHA512

                                                        e6ee6cf752bd09e97ddff2a238b01d78503e382f0e4d4eced8f1602657b248f1a3c52918bf7ff9c53bff84b2603092279b8e2eaa8e5ad13bac532baf075d11f6

                                                        Download Submit
                                                      • C:\Windows\SysWOW64\WindowsUpdater32\WindowsUpdater.exe
                                                        Filesize

                                                        1.6MB

                                                        MD5

                                                        f8b13afa37f458b357656f428af4f3b5

                                                        SHA1

                                                        2ec5da9160babd67ea388f32c05968b3b749bd9b

                                                        SHA256

                                                        752c9badfed2e60e84234932aa1eadb052d92217274ba51d306620031030cc58

                                                        SHA512

                                                        748ddafba98cc65e36f2418ed99197f810903678b4450e5c98909bf067787cdfb02a6389595b0ddd36271ad13fbf97f78466ef7dd88deeec07e1716231e1ef83

                                                        Download Submit
                                                      • memory/3424-13-0x0000000000790000-0x0000000000928000-memory.dmp
                                                        Filesize

                                                        1.6MB

                                                        Download
                                                      • memory/3424-12-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp
                                                        Filesize

                                                        8KB

                                                        Download
                                                      • memory/3424-14-0x0000000002BC0000-0x0000000002BCE000-memory.dmp
                                                        Filesize

                                                        56KB

                                                        Download