dcrat | 503f68ee6b9cb184e1dad186bb3f7e200a97b0ebd56de4a2bdd7e78d6c10e3aa

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Size

829KB
MD5

75efabc3056a03a80af5f744f2c7f616
SHA1

8c8d4b0dd3b3f3cafcc55841431a3f56be29c47f
SHA256

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92
SHA512

e552ed4b4a06e4daf004832153e1904e6ad19be127bfdb479f0688a5ae7425618ffac17c9a686971b72beb8a46f48c57fc6a628b6a4302d00a9c1650fa12c798
SSDEEP

12288:PEyrEZFe6JTVqa28z0SOGBslmJrZpUpazI5Izpbpwvr2/QJVKOEpiu:s7e6JTVXaGu2M5IzNpwS/QJVKO4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2628	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2628	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1988-1-0x0000000000E10000-0x0000000000EE6000-memory.dmp	dcrat
C:\MSOCache\All Users\dwm.exe	dcrat
behavioral1/memory/1448-23-0x0000000001380000-0x0000000001456000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

1448 dwm.exe

pid	process
1448	dwm.exe

Drops file in Program Files directory 9 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\7a0fd90576e088	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\cc11b995f2a76d	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\explorer.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\Common Files\SpeechEngines\sppsvc.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\Common Files\SpeechEngines\0a1fd5f707cd16	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Common Files\System\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Common Files\System\275c2e83f62543	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2732	schtasks.exe
2276	schtasks.exe
2412	schtasks.exe
2612	schtasks.exe
1692	schtasks.exe
804	schtasks.exe
2200	schtasks.exe
2720	schtasks.exe
2652	schtasks.exe
2484	schtasks.exe
2920	schtasks.exe
1916	schtasks.exe
1464	schtasks.exe
2784	schtasks.exe
2672	schtasks.exe
2504	schtasks.exe
884	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exedwm.exe

pid process

1988 249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1448 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exedwm.exe

description pid process

Token: SeDebugPrivilege 1988 249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Token: SeDebugPrivilege 1448 dwm.exe

pid	process
1988	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1448	dwm.exe

description	pid	process
Token: SeDebugPrivilege	1988	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Token: SeDebugPrivilege	1448	dwm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 1640	1988	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	cmd.exe
PID 1988 wrote to memory of 1640	1988	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	cmd.exe
PID 1988 wrote to memory of 1640	1988	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	cmd.exe
PID 1640 wrote to memory of 2136	1640	cmd.exe	w32tm.exe
PID 1640 wrote to memory of 2136	1640	cmd.exe	w32tm.exe
PID 1640 wrote to memory of 2136	1640	cmd.exe	w32tm.exe
PID 1640 wrote to memory of 1448	1640	cmd.exe	dwm.exe
PID 1640 wrote to memory of 1448	1640	cmd.exe	dwm.exe
PID 1640 wrote to memory of 1448	1640	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
"C:\Users\Admin\AppData\Local\Temp\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XrskW4JYld.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2136

C:\MSOCache\All Users\dwm.exe
"C:\MSOCache\All Users\dwm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\SpeechEngines\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\SpeechEngines\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb922" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb922" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe
Filesize
829KB

MD5
75efabc3056a03a80af5f744f2c7f616

SHA1
8c8d4b0dd3b3f3cafcc55841431a3f56be29c47f

SHA256
249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92

SHA512
e552ed4b4a06e4daf004832153e1904e6ad19be127bfdb479f0688a5ae7425618ffac17c9a686971b72beb8a46f48c57fc6a628b6a4302d00a9c1650fa12c798

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrskW4JYld.bat
Filesize
194B

MD5
1ba4a47fbc720ca2544585a532537e9a

SHA1
2d82b9a16c72f38f24709b8e8040cc3e3cd0fd1b

SHA256
10424b2446bd9a7166705c5ca36d79f0eba1bf9767261bc699e2278500b5f0b0

SHA512
b3f811d84d8947b6b3d841f74d188a22143896d27c874aeded50485b21e0acb02d6cb6e37c13b0925f354b7b2fff3cb62cb7e2379b93b060f0cd96582ac146a8

Download Submit
memory/1448-23-0x0000000001380000-0x0000000001456000-memory.dmp

Filesize
856KB

Download
memory/1988-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/1988-1-0x0000000000E10000-0x0000000000EE6000-memory.dmp

Filesize
856KB

Download
memory/1988-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-20-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download