dcrat | 1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35

Analysis

max time kernel
143s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
04-02-2021 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4yQyNsXLvwdE7h0o12Rg.exe
Size

684KB
MD5

5786034e260eabfd710772bcfa97bc95
SHA1

a5699e485d73471ecc45da327976aa6d2d2ac2cc
SHA256

1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
SHA512

a4ce8ffb2e3d4d3104900ba68184d92cfe94f0e7cf4ee8834eec7838769e7e0775b964c09010b9f047c70012adb1850cefcb385c7a7f7c7ad735e7fa82c0f070

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DC Rat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\dlldhcp\reviewcommon.exe	dcrat
C:\dlldhcp\reviewcommon.exe	dcrat
C:\PerfLogs\smss.exe	dcrat
C:\PerfLogs\smss.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

TvyV4sMJtQ2q43rckgWS.exereviewcommon.exesmss.exe

pid process

3412 TvyV4sMJtQ2q43rckgWS.exe
1324 reviewcommon.exe
212 smss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3412	TvyV4sMJtQ2q43rckgWS.exe
1324	reviewcommon.exe
212	smss.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reviewcommon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	reviewcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\""	reviewcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	reviewcommon.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ipinfo.io
14 ipinfo.io
Drops file in Windows directory 1 IoCs

Processes:

reviewcommon.exe

description ioc process

File created C:\Windows\Speech\Common\en-US\lsass.exe reviewcommon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3024 schtasks.exe
976 schtasks.exe
3724 schtasks.exe

flow	ioc
13	ipinfo.io
14	ipinfo.io

description	ioc	process
File created	C:\Windows\Speech\Common\en-US\lsass.exe	reviewcommon.exe

pid	process
3024	schtasks.exe
976	schtasks.exe
3724	schtasks.exe

Modifies registry class 2 IoCs

Processes:

4yQyNsXLvwdE7h0o12Rg.exeTvyV4sMJtQ2q43rckgWS.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	4yQyNsXLvwdE7h0o12Rg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	TvyV4sMJtQ2q43rckgWS.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

reviewcommon.exesmss.exe

pid process

1324 reviewcommon.exe
212 smss.exe
212 smss.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

212 smss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewcommon.exesmss.exe

description pid process

Token: SeDebugPrivilege 1324 reviewcommon.exe
Token: SeDebugPrivilege 212 smss.exe

pid	process
1324	reviewcommon.exe
212	smss.exe
212	smss.exe

pid	process
212	smss.exe

description	pid	process
Token: SeDebugPrivilege	1324	reviewcommon.exe
Token: SeDebugPrivilege	212	smss.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

4yQyNsXLvwdE7h0o12Rg.exeWScript.execmd.exeTvyV4sMJtQ2q43rckgWS.exeWScript.execmd.exereviewcommon.exe

description	pid	process	target process
PID 812 wrote to memory of 3196	812	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 812 wrote to memory of 3196	812	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 812 wrote to memory of 3196	812	4yQyNsXLvwdE7h0o12Rg.exe	WScript.exe
PID 3196 wrote to memory of 2924	3196	WScript.exe	cmd.exe
PID 3196 wrote to memory of 2924	3196	WScript.exe	cmd.exe
PID 3196 wrote to memory of 2924	3196	WScript.exe	cmd.exe
PID 2924 wrote to memory of 3412	2924	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 2924 wrote to memory of 3412	2924	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 2924 wrote to memory of 3412	2924	cmd.exe	TvyV4sMJtQ2q43rckgWS.exe
PID 3412 wrote to memory of 2392	3412	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 3412 wrote to memory of 2392	3412	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 3412 wrote to memory of 2392	3412	TvyV4sMJtQ2q43rckgWS.exe	WScript.exe
PID 2392 wrote to memory of 2716	2392	WScript.exe	cmd.exe
PID 2392 wrote to memory of 2716	2392	WScript.exe	cmd.exe
PID 2392 wrote to memory of 2716	2392	WScript.exe	cmd.exe
PID 2716 wrote to memory of 1324	2716	cmd.exe	reviewcommon.exe
PID 2716 wrote to memory of 1324	2716	cmd.exe	reviewcommon.exe
PID 1324 wrote to memory of 976	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 976	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 3724	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 3724	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 3024	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 3024	1324	reviewcommon.exe	schtasks.exe
PID 1324 wrote to memory of 212	1324	reviewcommon.exe	smss.exe
PID 1324 wrote to memory of 212	1324	reviewcommon.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe
"C:\Users\Admin\AppData\Local\Temp\4yQyNsXLvwdE7h0o12Rg.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe
      TvyV4sMJtQ2q43rckgWS.exe -p55ff48c21c9494a5d9e8edfacff40e98a5e08b85
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\dlldhcp\reviewcommon.exe
        
        "C:\dlldhcp\reviewcommon.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3024
        
        C:\PerfLogs\smss.exe
        
        "C:\PerfLogs\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\smss.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\PerfLogs\smss.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\dlldhcp\06OXEbc57sIIel2pT7VSFVSjXXmfRt.vbe

MD5
210951648be0af442e992c0c244881d2

SHA1
5a1f973643464b8c25ea0baacf24c1be63a0fc35

SHA256
84c461efb89569ac83256e91419a7e433cf3dd114d7bbcdca3d043c5e3a3a6df

SHA512
591792d2b0a9e8483071c35956b2189ebfb11f754f9f917a8a9626a11d176ef12880f84741a1a81c094ad2202f1187d917832266ebb474910f9d76a153b28807

Download Submit
C:\dlldhcp\M2pBQ8CVzpBi7EtxSagzVS7Rsq03Qh.bat

MD5
5895d60ccfece992e7ba54e9c612c6b7

SHA1
4ad6068c24eea84ecf8096c5710d1c7823e97d7c

SHA256
8274d8a146527cd6887201bcf8b0444abf859e5a53485c2325e07f064ed09562

SHA512
894fa23cd7bb76bc0e54493d5f5f24cc88d9002e41901e68da2c211b628897aa0242bc17995f264518ce4140925163879265160b921d7b445a815c85625d6b91

Download Submit
C:\dlldhcp\Ovv4WrUEEOrKRGuaUIBYpelkPalQwD.bat

MD5
47bd37706cba75d92e38e8a92c3f677c

SHA1
c4dc06ca75cfce3672294c0fb658637679b890af

SHA256
204e3297bbd72d9c4c21e0aa94c563f0ae310f7116fd0dfc5095c0acea994f2f

SHA512
a14079075318a6695677da9e4a670fb9a982673a27be346a9453551861e68259216fb96d1295e3be61d977ee3868e7b23669ad5a90488e2c9f00503ecdda9a70

Download Submit
C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe

MD5
e957674018efb1b736acbffb8ed03960

SHA1
2dd39dbed238087764f4fc716f93d289dfe6d140

SHA256
b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

SHA512
591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

Download Submit
C:\dlldhcp\TvyV4sMJtQ2q43rckgWS.exe

MD5
e957674018efb1b736acbffb8ed03960

SHA1
2dd39dbed238087764f4fc716f93d289dfe6d140

SHA256
b7b622503d442c422d585761daf056f2becd9d5e73f4c1b83635e4b4643bbfba

SHA512
591ab7a2aafecb89622510044062091f98cac906d29870196ad3941dce4dacae1f281f0033aa98dfc96dcbc4d923539e43d5c3476d2dfacdb597b61591dcbf6e

Download Submit
C:\dlldhcp\pb9Gu3tG7NmOc5Gajm8xMQsWHj1XvE.vbe

MD5
99eb5a92e1d4538b512963280319e437

SHA1
76bc222143c744c72e93993336824b176c6274e5

SHA256
0284b07335fb6b1bd283621dfaa3438d59627bf21ece7126f94ae900cdf1cc6b

SHA512
5ca744d59de1aa91fbbfd3282f35bbe08517ca53b9004a3f5383886af8dfcb819a416bd1d607ae53252b3674ebd23ad49e5f45f5944510d732834fd90adf243d

Download Submit
C:\dlldhcp\reviewcommon.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
C:\dlldhcp\reviewcommon.exe

MD5
129acac9f415647ea9aa17b970f25391

SHA1
9576592f52c4ddf4a3922077832ad9c2f70e86de

SHA256
71b5b9ac7fa718a9ec2a41b5a8642761da9d7689a313b8bc89c12f72851f59a7

SHA512
7ec888cff71193ffe61be3aee7c5e484e5491c04dd8c4413d4aec64b2e83796e3f02289031615bc87237bc4c28087079120d5f16e4802294a77edd945bdc427b

Download Submit
memory/212-24-0x0000000000000000-mapping.dmp

Download
memory/212-32-0x0000015C31E03000-0x0000015C31E04000-memory.dmp

Filesize
4KB

Download
memory/212-31-0x0000015C171E0000-0x0000015C171E1000-memory.dmp

Filesize
4KB

Download
memory/212-30-0x0000015C31E02000-0x0000015C31E03000-memory.dmp

Filesize
4KB

Download
memory/212-27-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp

Filesize
9.9MB

Download
memory/976-21-0x0000000000000000-mapping.dmp

Download
memory/1324-20-0x0000029B738F0000-0x0000029B738F2000-memory.dmp

Filesize
8KB

Download
memory/1324-18-0x0000029B71AF0000-0x0000029B71AF1000-memory.dmp

Filesize
4KB

Download
memory/1324-17-0x00007FFB84BD0000-0x00007FFB855BC000-memory.dmp

Filesize
9.9MB

Download
memory/1324-14-0x0000000000000000-mapping.dmp

Download
memory/2392-10-0x0000000000000000-mapping.dmp

Download
memory/2716-13-0x0000000000000000-mapping.dmp

Download
memory/2924-6-0x0000000000000000-mapping.dmp

Download
memory/3024-23-0x0000000000000000-mapping.dmp

Download
memory/3196-3-0x0000000000000000-mapping.dmp

Download
memory/3412-7-0x0000000000000000-mapping.dmp

Download
memory/3724-22-0x0000000000000000-mapping.dmp

Download