dcrat | ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e

General

Target

dllservices.exe
Size

448KB
MD5

eff1b26ff5763d25e892761a02dd2e7c
SHA1

17b677b9f58b54508324da8ab15bc67c66f5f55e
SHA256

ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e
SHA512

53f0e1448ead9098a8efba367c32c1d3f7db09362eba7a62a409cde55d9876e3271dd55017abbdecfbf2abd2da393a5e7ba69bcd065f613d7010e259d43e9721

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DC Rat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe	dcrat
C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

1660 spoolsv.exe

pid	process
1660	spoolsv.exe

Drops file in Program Files directory 4 IoCs

Processes:

dllservices.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\en-US\winlogon.exe	dllservices.exe
File created	C:\Program Files\Windows Defender\en-US\cc11b995f2a76da408ea6a601e682e64743153ad	dllservices.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe	dllservices.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	dllservices.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

920 schtasks.exe
1580 schtasks.exe
556 schtasks.exe
1464 schtasks.exe
1940 schtasks.exe
1052 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dllservices.exespoolsv.exe

pid process

848 dllservices.exe
1660 spoolsv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dllservices.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 848 dllservices.exe
Token: SeDebugPrivilege 1660 spoolsv.exe

pid	process
920	schtasks.exe
1580	schtasks.exe
556	schtasks.exe
1464	schtasks.exe
1940	schtasks.exe
1052	schtasks.exe

pid	process
848	dllservices.exe
1660	spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	848	dllservices.exe
Token: SeDebugPrivilege	1660	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dllservices.exe

description	pid	process	target process
PID 848 wrote to memory of 1580	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1580	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1580	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 556	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 556	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 556	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1464	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1464	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1464	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1940	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1940	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1940	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1052	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1052	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1052	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 920	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 920	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 920	848	dllservices.exe	schtasks.exe
PID 848 wrote to memory of 1660	848	dllservices.exe	spoolsv.exe
PID 848 wrote to memory of 1660	848	dllservices.exe	spoolsv.exe
PID 848 wrote to memory of 1660	848	dllservices.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\dllservices.exe
"C:\Users\Admin\AppData\Local\Temp\dllservices.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1580
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WMIADAP.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:556
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1464
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\9f428062-1991-11eb-b2ba-ee401b9e63cb\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1940
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1052
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:920
- C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe

MD5
eff1b26ff5763d25e892761a02dd2e7c

SHA1
17b677b9f58b54508324da8ab15bc67c66f5f55e

SHA256
ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e

SHA512
53f0e1448ead9098a8efba367c32c1d3f7db09362eba7a62a409cde55d9876e3271dd55017abbdecfbf2abd2da393a5e7ba69bcd065f613d7010e259d43e9721

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe

MD5
eff1b26ff5763d25e892761a02dd2e7c

SHA1
17b677b9f58b54508324da8ab15bc67c66f5f55e

SHA256
ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e

SHA512
53f0e1448ead9098a8efba367c32c1d3f7db09362eba7a62a409cde55d9876e3271dd55017abbdecfbf2abd2da393a5e7ba69bcd065f613d7010e259d43e9721

Download Submit
memory/556-6-0x0000000000000000-mapping.dmp

Download
memory/848-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/848-3-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/920-10-0x0000000000000000-mapping.dmp

Download
memory/1052-9-0x0000000000000000-mapping.dmp

Download
memory/1464-7-0x0000000000000000-mapping.dmp

Download
memory/1580-5-0x0000000000000000-mapping.dmp

Download
memory/1660-11-0x0000000000000000-mapping.dmp

Download
memory/1660-14-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-15-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1940-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads