dcrat | 1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
04-02-2021 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4yQyNsXLvwdE7h0o12Rg.exe
Size

684KB
MD5

5786034e260eabfd710772bcfa97bc95
SHA1

a5699e485d73471ecc45da327976aa6d2d2ac2cc
SHA256

1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
SHA512

a4ce8ffb2e3d4d3104900ba68184d92cfe94f0e7cf4ee8834eec7838769e7e0775b964c09010b9f047c70012adb1850cefcb385c7a7f7c7ad735e7fa82c0f070

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DC Rat Payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\dlldhcp\reviewcommon.exe	dcrat
C:\dlldhcp\reviewcommon.exe	dcrat
C:\dlldhcp\reviewcommon.exe	dcrat
C:\ProgramData\Microsoft Help\services.exe	dcrat
C:\Users\All Users\Microsoft Help\services.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

TvyV4sMJtQ2q43rckgWS.exereviewcommon.exeservices.exe

pid process

1720 TvyV4sMJtQ2q43rckgWS.exe
992 reviewcommon.exe
1736 services.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

1960 cmd.exe
1928 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1720	TvyV4sMJtQ2q43rckgWS.exe
992	reviewcommon.exe
1736	services.exe

pid	process
1960	cmd.exe
1928	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reviewcommon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\TAPI\\lsm.exe\""	reviewcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\dlldhcp\\lsm.exe\""	reviewcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Microsoft Help\\services.exe\""	reviewcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\9f428062-1991-11eb-b2ba-ee401b9e63cb\\spoolsv.exe\""	reviewcommon.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io
7 ipinfo.io

flow	ioc
5	ipinfo.io
6	ipinfo.io
7	ipinfo.io

Drops file in Windows directory 2 IoCs

Processes:

reviewcommon.exe

description	ioc	process
File created	C:\Windows\TAPI\lsm.exe	reviewcommon.exe
File created	C:\Windows\TAPI\101b941d020240259ca4912829b53995ad543df6	reviewcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1160 schtasks.exe
1428 schtasks.exe
1580 schtasks.exe
1816 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

reviewcommon.exeservices.exe

pid process

992 reviewcommon.exe
1736 services.exe
1736 services.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

1736 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewcommon.exeservices.exe

description pid process

Token: SeDebugPrivilege 992 reviewcommon.exe
Token: SeDebugPrivilege 1736 services.exe

pid	process
1160	schtasks.exe
1428	schtasks.exe
1580	schtasks.exe
1816	schtasks.exe

pid	process
992	reviewcommon.exe
1736	services.exe
1736	services.exe

pid	process
1736	services.exe

description	pid	process
Token: SeDebugPrivilege	992	reviewcommon.exe
Token: SeDebugPrivilege	1736	services.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

4yQyNsXLvwdE7h0o12Rg.exeWScript.execmd.exeTvyV4sMJtQ2q43rckgWS.exeWScript.execmd.exereviewcommon.exe

description	pid	process	target process
PID 1908 wrote to memory of 1520	1908	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 1908 wrote to memory of 1520	1908	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 1908 wrote to memory of 1520	1908	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 1908 wrote to memory of 1520	1908	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 1520 wrote to memory of 1960	1520	WScript.exe	cmd.exe
PID 1520 wrote to memory of 1960	1520	WScript.exe	cmd.exe
PID 1520 wrote to memory of 1960	1520	WScript.exe	cmd.exe
PID 1520 wrote to memory of 1960	1520	WScript.exe	cmd.exe
PID 1960 wrote to memory of 1720	1960	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 1960 wrote to memory of 1720	1960	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 1960 wrote to memory of 1720	1960	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 1960 wrote to memory of 1720	1960	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 1720 wrote to memory of 1764	1720	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 1720 wrote to memory of 1764	1720	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 1720 wrote to memory of 1764	1720	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 1720 wrote to memory of 1764	1720	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 1764 wrote to memory of 1928	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1928	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1928	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1928	1764	WScript.exe	cmd.exe
PID 1928 wrote to memory of 992	1928	cmd.exe	reviewcommon.exe
PID 1928 wrote to memory of 992	1928	cmd.exe	reviewcommon.exe
PID 1928 wrote to memory of 992	1928	cmd.exe	reviewcommon.exe
PID 1928 wrote to memory of 992	1928	cmd.exe	reviewcommon.exe
PID 992 wrote to memory of 1160	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1160	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1160	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1428	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1428	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1428	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1580	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1580	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1580	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1816	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1816	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1816	992	reviewcommon.exe	schtasks.exe
PID 992 wrote to memory of 1736	992	reviewcommon.exe	services.exe
PID 992 wrote to memory of 1736	992	reviewcommon.exe	services.exe
PID 992 wrote to memory of 1736	992	reviewcommon.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe
"C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
      TvyV4sMJtQ2q43rckgWS.exe -p55ff48c21c9494a5d9e8edfacff40e98a5e08b85
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\dlldhcp\reviewcommon.exe
        
        "C:\dlldhcp\reviewcommon.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\9f428062-1991-11eb-b2ba-ee401b9e63cb\spoolsv.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1160
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\TAPI\lsm.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\dlldhcp\lsm.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1816
        
        C:\Users\All Users\Microsoft Help\services.exe
        
        "C:\Users\All Users\Microsoft Help\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\services.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\Users\All Users\Microsoft Help\services.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe

MD5
210951648be0af442e992c0c244881d2

SHA1
5a1f973643464b8c25ea0baacf24c1be63a0fc35

SHA256
84c461efb89569ac83256e91419a7e433cf3dd114d7bbcdca3d043c5e3a3a6df

SHA512
591792d2b0a9e8483071c35956b2189ebfb11f754f9f917a8a9626a11d176ef12880f84741a1a81c094ad2202f1187d917832266ebb474910f9d76a153b28807

Download Submit
C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat

MD5
5895d60ccfece992e7ba54e9c612c6b7

SHA1
4ad6068c24eea84ecf8096c5710d1c7823e97d7c

SHA256
8274d8a146527cd6887201bcf8b0444abf859e5a53485c2325e07f064ed09562

SHA512
894fa23cd7bb76bc0e54493d5f5f24cc88d9002e41901e68da2c211b628897aa0242bc17995f264518ce4140925163879265160b921d7b445a815c85625d6b91

Download Submit
C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat

MD5
47bd37706cba75d92e38e8a92c3f677c

SHA1
c4dc06ca75cfce3672294c0fb658637679b890af

SHA256
204e3297bbd72d9c4c21e0aa94c563f0ae310f7116fd0dfc5095c0acea994f2f

SHA512
a14079075318a6695677da9e4a670fb9a982673a27be346a9453551861e68259216fb96d1295e3be61d977ee3868e7b23669ad5a90488e2c9f00503ecdda9a70

Download Submit
C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe

MD5
e957674018efb1b736acbffb8ed03960

SHA1
2dd39dbed238087764f4fc716f93d289dfe6d140

SHA256
b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

SHA512
591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

Download Submit
C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe

MD5
e957674018efb1b736acbffb8ed03960

SHA1
2dd39dbed238087764f4fc716f93d289dfe6d140

SHA256
b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

SHA512
591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

Download Submit
C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe

MD5
99eb5a92e1d4538b512963280319e437

SHA1
76bc222143c744c72e93993336824b176c6274e5

SHA256
0284b07335fb6b1bd283621dfaa3438d59627bf21ece7126f94ae900cdf1cc6b

SHA512
5ca744d59de1aa91fbbfd3282f35bbe08517ca53b9004a3f5383886af8dfcb819a416bd1d607ae53252b3674ebd23ad49e5f45f5944510d732834fd90adf243d

Download Submit
C:\dlldhcp\reviewcommon.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\dlldhcp\reviewcommon.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe

MD5
e957674018efb1b736acbffb8ed03960

SHA1
2dd39dbed238087764f4fc716f93d289dfe6d140

SHA256
b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

SHA512
591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

Download Submit
\dlldhcp\reviewcommon.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
memory/992-29-0x000000001B490000-0x000000001B492000-memory.dmp

Filesize
8KB

Download
memory/992-23-0x0000000000000000-mapping.dmp

Download
memory/992-26-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/992-27-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1160-30-0x0000000000000000-mapping.dmp

Download
memory/1428-31-0x0000000000000000-mapping.dmp

Download
memory/1520-3-0x0000000000000000-mapping.dmp

Download
memory/1520-8-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1580-32-0x0000000000000000-mapping.dmp

Download
memory/1720-11-0x0000000000000000-mapping.dmp

Download
memory/1720-14-0x00000000024A0000-0x00000000025A1000-memory.dmp

Filesize
1.0MB

Download
memory/1736-34-0x0000000000000000-mapping.dmp

Download
memory/1736-37-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-38-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1736-40-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/1764-21-0x0000000002560000-0x0000000002564000-memory.dmp

Filesize
16KB

Download
memory/1764-16-0x0000000000000000-mapping.dmp

Download
memory/1816-33-0x0000000000000000-mapping.dmp

Download
memory/1908-2-0x0000000076271000-0x0000000076273000-memory.dmp

Filesize
8KB

Download
memory/1928-20-0x0000000000000000-mapping.dmp

Download
memory/1960-7-0x0000000000000000-mapping.dmp

Download