dcrat | f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
Size

1.1MB
MD5

829cab70d17eaedeabe77c32154d11f2
SHA1

196c898abee483229f61342ac1f8248677f833da
SHA256

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97
SHA512

9d7ce634639d86cf020d1ce1a85e7c7d113feed2d0fc98f1f5ebb233ba77129e133b92636864bdbf105ec5599143f84835219203173bcf63ce047a7d40a7f4c3
SSDEEP

24576:Y2G/nvxW3W4kqExbb2uM2bowf751JKeqkTsRPns:YbA34qQUwf75bz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2548	schtasks.exe
2888	schtasks.exe
1652	schtasks.exe
2504	schtasks.exe
1624	schtasks.exe
2544	schtasks.exe
2820	schtasks.exe
2884	schtasks.exe
1528	schtasks.exe
2628	schtasks.exe
2540	schtasks.exe
2800	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

componentfontnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\""	componentfontnet.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2528	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\intobroker\componentfontnet.exe	dcrat
behavioral1/memory/2644-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmp	dcrat
behavioral1/memory/356-28-0x00000000009B0000-0x0000000000A86000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

componentfontnet.exedwm.exe

pid process

2644 componentfontnet.exe
356 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe
2744 cmd.exe

pid	process
2644	componentfontnet.exe
356	dwm.exe

pid	process
2744	cmd.exe
2744	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

componentfontnet.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\sppsvc.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dwm.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\""	componentfontnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\cmd.exe\""	componentfontnet.exe

Drops file in Program Files directory 2 IoCs

Processes:

componentfontnet.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe	componentfontnet.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\6ccacd8608530f	componentfontnet.exe

Drops file in Windows directory 2 IoCs

Processes:

componentfontnet.exe

description ioc process

File created C:\Windows\Prefetch\ReadyBoot\dwm.exe componentfontnet.exe
File created C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3 componentfontnet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	componentfontnet.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	componentfontnet.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2628	schtasks.exe
2548	schtasks.exe
2540	schtasks.exe
2544	schtasks.exe
2800	schtasks.exe
2884	schtasks.exe
1652	schtasks.exe
2504	schtasks.exe
1624	schtasks.exe
2820	schtasks.exe
2888	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

componentfontnet.exedwm.exe

pid process

2644 componentfontnet.exe
2644 componentfontnet.exe
2644 componentfontnet.exe
356 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

componentfontnet.exedwm.exe

description pid process

Token: SeDebugPrivilege 2644 componentfontnet.exe
Token: SeDebugPrivilege 356 dwm.exe

pid	process
2644	componentfontnet.exe
2644	componentfontnet.exe
2644	componentfontnet.exe
356	dwm.exe

description	pid	process
Token: SeDebugPrivilege	2644	componentfontnet.exe
Token: SeDebugPrivilege	356	dwm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exeWScript.execmd.execomponentfontnet.exe

description	pid	process	target process
PID 1724 wrote to memory of 2432	1724	f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe	WScript.exe
PID 1724 wrote to memory of 2432	1724	f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe	WScript.exe
PID 1724 wrote to memory of 2432	1724	f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe	WScript.exe
PID 1724 wrote to memory of 2432	1724	f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe	WScript.exe
PID 2432 wrote to memory of 2744	2432	WScript.exe	cmd.exe
PID 2432 wrote to memory of 2744	2432	WScript.exe	cmd.exe
PID 2432 wrote to memory of 2744	2432	WScript.exe	cmd.exe
PID 2432 wrote to memory of 2744	2432	WScript.exe	cmd.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	componentfontnet.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	componentfontnet.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	componentfontnet.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	componentfontnet.exe
PID 2644 wrote to memory of 356	2644	componentfontnet.exe	dwm.exe
PID 2644 wrote to memory of 356	2644	componentfontnet.exe	dwm.exe
PID 2644 wrote to memory of 356	2644	componentfontnet.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe
"C:\Users\Admin\AppData\Local\Temp\f4ab048f183a7269468b0cb8509668831e3d8f816e1be3162a0734c83c488c97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intobroker\osry78APVO.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\intobroker\tDTHMvsh0leL386.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\intobroker\componentfontnet.exe
"C:\intobroker\componentfontnet.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Prefetch\ReadyBoot\dwm.exe
"C:\Windows\Prefetch\ReadyBoot\dwm.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\intobroker\osry78APVO.vbe
Filesize
203B

MD5
d9575ef3d39fa2d3f7cddfa06e37aed9

SHA1
96f3d4b152dd2b5367a6c6199c7c0cb8a7e55e48

SHA256
7620872ff0baa9a5acccdf52eda7568ac9e26968922835abab01703e25c6f8b5

SHA512
5f0bae0a68887a17b0d5cbac991a0657b83dc3e9bdfa0bfd62805d0cbaf4bad1d2354d63549743e46e11d6449f2a6d6bf7a1892ba5efa744abe7e1027234e742

Download Submit
C:\intobroker\tDTHMvsh0leL386.bat
Filesize
36B

MD5
eebb77f627130b420bf208f1efe0b460

SHA1
60fc9a9abee4f092453513424d3ad026d047b5fd

SHA256
8a5e709a08538e22d8491eaaf5aaf53b1468229a5721c072ea08c9467e0c3ef5

SHA512
030ddab47f04ddcfb8f1ec412621d0e31821f82fd38dde3fae07e63234613d14276bc2d378f20d9499fd1b9098cb042f5fefe7b49cb2aad5ef44635736e8b7ed

Download Submit
\intobroker\componentfontnet.exe
Filesize
829KB

MD5
0496185a6219652c72da3dc493b35853

SHA1
9060775977b6a917f8d513521ad1a327342d0eab

SHA256
32e448e205263af7253fdb66af9e2349e18a6054c9a1d27e8c5264840ba1559e

SHA512
8a36acae4bf2e966ef2913d24b2be6ed8c4d167868e98b94fdebc4892895a61f0c43a682a829a9f615a03aec953bca3f2cf1915b1368fa2cf1fd9be91f2da84f

Download Submit
memory/356-28-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2644-13-0x0000000000DD0000-0x0000000000EA6000-memory.dmp

Filesize
856KB

Download