dcrat | e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
Size

2.3MB
MD5

11ec2263423a6c9c8ca33fe4c021e9a4
SHA1

187934d7646cc1d33c923d1fbb0b385adbc411d1
SHA256

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7
SHA512

d86b834a6554be6984222ddc926675e11df6d128841d51baba2f3b0e38ffcb08fdb7c01918a28c5db36c6c6c6799b8883a1131a9b41c5dc78a089c99151da4bf
SSDEEP

49152:q/OAn5V6k2DyNqLRN02tf1YkbY8TwHW47AFr3aT:uOs5VUCZ2tf1Ykk8TwHXerKT

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1700	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1700	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/4932-1-0x0000000000460000-0x00000000006B2000-memory.dmp dcrat
C:\Windows\Web\backgroundTaskHost.exe dcrat

resource	yara_rule
behavioral2/memory/4932-1-0x0000000000460000-0x00000000006B2000-memory.dmp	dcrat
C:\Windows\Web\backgroundTaskHost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

Executes dropped EXE 1 IoCs

Processes:

backgroundTaskHost.exe

pid process

3144 backgroundTaskHost.exe

pid	process
3144	backgroundTaskHost.exe

Drops file in Program Files directory 9 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\37a59ab026fbb7	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eddb19405b7ce1	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\9e8d7a4ca61bd9	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

Drops file in Windows directory 4 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

description	ioc	process
File created	C:\Windows\WaaS\tasks\csrss.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Windows\Web\backgroundTaskHost.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Windows\Web\eddb19405b7ce1	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
File created	C:\Windows\CSC\backgroundTaskHost.exe	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
748	schtasks.exe
2460	schtasks.exe
3628	schtasks.exe
3512	schtasks.exe
952	schtasks.exe
1748	schtasks.exe
2732	schtasks.exe
244	schtasks.exe
1384	schtasks.exe
3928	schtasks.exe
1028	schtasks.exe
3052	schtasks.exe
2564	schtasks.exe
3608	schtasks.exe
2424	schtasks.exe
4780	schtasks.exe
2344	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exebackgroundTaskHost.exe

pid	process
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
3144	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exebackgroundTaskHost.exe

description pid process

Token: SeDebugPrivilege 4932 e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
Token: SeDebugPrivilege 3144 backgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
Token: SeDebugPrivilege	3144	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.execmd.exe

description	pid	process	target process
PID 4932 wrote to memory of 224	4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe	cmd.exe
PID 4932 wrote to memory of 224	4932	e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe	cmd.exe
PID 224 wrote to memory of 3008	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 3008	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 3144	224	cmd.exe	backgroundTaskHost.exe
PID 224 wrote to memory of 3144	224	cmd.exe	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe
"C:\Users\Admin\AppData\Local\Temp\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\APmL0FvvwZ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3008

C:\Windows\Web\backgroundTaskHost.exe
"C:\Windows\Web\backgroundTaskHost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7e" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7e" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Web\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APmL0FvvwZ.bat
Filesize
202B

MD5
1413bec69cb5ee6581a44e8df963af7a

SHA1
4e9155e13bf43bbc29afade3a59f0b401b912419

SHA256
c6690a56b6608fb9ad02fc856baff77e6a4896c46a8b6de483e75837e9481fbc

SHA512
45ea59e0db709e952fa10ca287bb631c4fd89417b9cd32424412f35b92fd597519b765400a831c00fd49b9aeec29053f0e2e94b25f9f6ccd395aab15febaff5d

Download Submit
C:\Windows\Web\backgroundTaskHost.exe
Filesize
2.3MB

MD5
11ec2263423a6c9c8ca33fe4c021e9a4

SHA1
187934d7646cc1d33c923d1fbb0b385adbc411d1

SHA256
e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7

SHA512
d86b834a6554be6984222ddc926675e11df6d128841d51baba2f3b0e38ffcb08fdb7c01918a28c5db36c6c6c6799b8883a1131a9b41c5dc78a089c99151da4bf

Download Submit
memory/3144-35-0x000000001BC70000-0x000000001BC82000-memory.dmp

Filesize
72KB

Download
memory/3144-34-0x000000001BC20000-0x000000001BC76000-memory.dmp

Filesize
344KB

Download
memory/4932-6-0x000000001B200000-0x000000001B256000-memory.dmp

Filesize
344KB

Download
memory/4932-7-0x000000001B2A0000-0x000000001B2B2000-memory.dmp

Filesize
72KB

Download
memory/4932-5-0x0000000002900000-0x0000000002916000-memory.dmp

Filesize
88KB

Download
memory/4932-4-0x000000001B250000-0x000000001B2A0000-memory.dmp

Filesize
320KB

Download
memory/4932-11-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/4932-10-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/4932-9-0x000000001B8E0000-0x000000001B8EE000-memory.dmp

Filesize
56KB

Download
memory/4932-8-0x000000001C200000-0x000000001C728000-memory.dmp

Filesize
5.2MB

Download
memory/4932-0-0x00007FF9C94E3000-0x00007FF9C94E5000-memory.dmp

Filesize
8KB

Download
memory/4932-3-0x00000000028E0000-0x00000000028FC000-memory.dmp

Filesize
112KB

Download
memory/4932-30-0x00007FF9C94E0000-0x00007FF9C9FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-2-0x00007FF9C94E0000-0x00007FF9C9FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-1-0x0000000000460000-0x00000000006B2000-memory.dmp

Filesize
2.3MB

Download