dcrat | ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e

General

Target

dllservices.exe
Size

448KB
MD5

eff1b26ff5763d25e892761a02dd2e7c
SHA1

17b677b9f58b54508324da8ab15bc67c66f5f55e
SHA256

ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e
SHA512

53f0e1448ead9098a8efba367c32c1d3f7db09362eba7a62a409cde55d9876e3271dd55017abbdecfbf2abd2da393a5e7ba69bcd065f613d7010e259d43e9721

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DC Rat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00030000000130f2-12.dat	dcrat
behavioral1/files/0x00030000000130f2-13.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1660	spoolsv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\winlogon.exe	dllservices.exe
File created	C:\Program Files\Windows Defender\en-US\cc11b995f2a76da408ea6a601e682e64743153ad	dllservices.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe	dllservices.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	dllservices.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
920	schtasks.exe
1580	schtasks.exe
556	schtasks.exe
1464	schtasks.exe
1940	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
848	dllservices.exe
1660	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	dllservices.exe
Token: SeDebugPrivilege	1660	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1580	848	dllservices.exe	30
PID 848 wrote to memory of 1580	848	dllservices.exe	30
PID 848 wrote to memory of 1580	848	dllservices.exe	30
PID 848 wrote to memory of 556	848	dllservices.exe	32
PID 848 wrote to memory of 556	848	dllservices.exe	32
PID 848 wrote to memory of 556	848	dllservices.exe	32
PID 848 wrote to memory of 1464	848	dllservices.exe	34
PID 848 wrote to memory of 1464	848	dllservices.exe	34
PID 848 wrote to memory of 1464	848	dllservices.exe	34
PID 848 wrote to memory of 1940	848	dllservices.exe	36
PID 848 wrote to memory of 1940	848	dllservices.exe	36
PID 848 wrote to memory of 1940	848	dllservices.exe	36
PID 848 wrote to memory of 1052	848	dllservices.exe	38
PID 848 wrote to memory of 1052	848	dllservices.exe	38
PID 848 wrote to memory of 1052	848	dllservices.exe	38
PID 848 wrote to memory of 920	848	dllservices.exe	40
PID 848 wrote to memory of 920	848	dllservices.exe	40
PID 848 wrote to memory of 920	848	dllservices.exe	40
PID 848 wrote to memory of 1660	848	dllservices.exe	42
PID 848 wrote to memory of 1660	848	dllservices.exe	42
PID 848 wrote to memory of 1660	848	dllservices.exe	42

C:\Users\Admin\AppData\Local\Temp\dllservices.exe
"C:\Users\Admin\AppData\Local\Temp\dllservices.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1580
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WMIADAP.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:556
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1464
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\9f428062-1991-11eb-b2ba-ee401b9e63cb\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1940
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1052
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:920
- C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe
  "C:\Program Files (x86)\WindowsPowerShell\Modules\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/848-3-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1660-14-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-15-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads