dcrat | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
377s
max time network
458s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ForceOp 2.8.7 - By RaiSence.exe

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3636 created 1888	3636	WerFault.exe	97

Executes dropped EXE 2 IoCs

pid	Process
3772	wincommon.exe
1888	wscript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\svchost.exe	wincommon.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\f4d236fdec2fd03914189c3b26e5cb0dfea9d761	wincommon.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	wincommon.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	wincommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3636	1888	WerFault.exe	97

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3612	schtasks.exe
2136	schtasks.exe
1136	schtasks.exe
3648	schtasks.exe
2084	schtasks.exe
1508	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	ForceOp 2.8.7 - By RaiSence.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3772	wincommon.exe
1888	wscript.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe
3636	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	wincommon.exe
Token: SeDebugPrivilege	1888	wscript.exe
Token: SeDebugPrivilege	3636	WerFault.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2540	3276	ForceOp 2.8.7 - By RaiSence.exe	75
PID 3276 wrote to memory of 2540	3276	ForceOp 2.8.7 - By RaiSence.exe	75
PID 3276 wrote to memory of 2540	3276	ForceOp 2.8.7 - By RaiSence.exe	75
PID 3276 wrote to memory of 3412	3276	ForceOp 2.8.7 - By RaiSence.exe	77
PID 3276 wrote to memory of 3412	3276	ForceOp 2.8.7 - By RaiSence.exe	77
PID 3276 wrote to memory of 3412	3276	ForceOp 2.8.7 - By RaiSence.exe	77
PID 2540 wrote to memory of 1148	2540	WScript.exe	81
PID 2540 wrote to memory of 1148	2540	WScript.exe	81
PID 2540 wrote to memory of 1148	2540	WScript.exe	81
PID 1148 wrote to memory of 3772	1148	cmd.exe	83
PID 1148 wrote to memory of 3772	1148	cmd.exe	83
PID 3772 wrote to memory of 3612	3772	wincommon.exe	85
PID 3772 wrote to memory of 3612	3772	wincommon.exe	85
PID 3772 wrote to memory of 2136	3772	wincommon.exe	87
PID 3772 wrote to memory of 2136	3772	wincommon.exe	87
PID 3772 wrote to memory of 1136	3772	wincommon.exe	89
PID 3772 wrote to memory of 1136	3772	wincommon.exe	89
PID 3772 wrote to memory of 3648	3772	wincommon.exe	91
PID 3772 wrote to memory of 3648	3772	wincommon.exe	91
PID 3772 wrote to memory of 2084	3772	wincommon.exe	93
PID 3772 wrote to memory of 2084	3772	wincommon.exe	93
PID 3772 wrote to memory of 1508	3772	wincommon.exe	95
PID 3772 wrote to memory of 1508	3772	wincommon.exe	95
PID 3772 wrote to memory of 1888	3772	wincommon.exe	97
PID 3772 wrote to memory of 1888	3772	wincommon.exe	97

C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe
"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\intofont\wincommon.exe
      "C:\intofont\wincommon.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3612
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2136
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\intofont\svchost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1136
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\svchost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3648
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2084
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wscript" /sc ONLOGON /tr "'C:\PerfLogs\wscript.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1508
    - - C:\PerfLogs\wscript.exe
        
        "C:\PerfLogs\wscript.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1888 -s 1796
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"
  2⤵
  PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-35-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp

Filesize
9.9MB

Download
memory/3636-39-0x0000017402A40000-0x0000017402A41000-memory.dmp

Filesize
4KB

Download
memory/3636-55-0x0000017403C40000-0x0000017403C41000-memory.dmp

Filesize
4KB

Download
memory/3772-25-0x000000001B9E0000-0x000000001B9E1000-memory.dmp

Filesize
4KB

Download
memory/3772-22-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp

Filesize
9.9MB

Download
memory/3772-23-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download