dcrat | a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec

General

Target

787F845B904FD7FC0F36F5CCAB9691C0.exe
Size

1.5MB
MD5

787f845b904fd7fc0f36f5ccab9691c0
SHA1

d25cd2bf2986862d7c4d5923a144b5c6d11690ac
SHA256

a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec
SHA512

05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1656-86-0x0000000000430000-0x0000000000432000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe	dcrat
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe	dcrat
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe	dcrat
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe	dcrat
C:\PerfLogs\Admin\winlogon.exe	dcrat
C:\PerfLogs\Admin\winlogon.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exe

pid process

268 savesRefRuntimebrokersvcwinIntoruntime.exe
1656 winlogon.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe
1316 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

pid	process
268	savesRefRuntimebrokersvcwinIntoruntime.exe
1656	winlogon.exe

pid	process
1316	cmd.exe
1316	cmd.exe

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

savesRefRuntimebrokersvcwinIntoruntime.exe

description	ioc	process
File opened for modification	C:\Windows\System32\gpprefcl\dwm.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
File created	C:\Windows\System32\gpprefcl\6cb0b6c459d5d3455a3da700e713f2e2529862ff	savesRefRuntimebrokersvcwinIntoruntime.exe
File created	C:\Windows\System32\wbem\portabledeviceapi\WMIADAP.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
File created	C:\Windows\System32\wbem\portabledeviceapi\75a57c1bdf437c0c81ad56e81f43c7323ed35745	savesRefRuntimebrokersvcwinIntoruntime.exe
File created	C:\Windows\System32\gpprefcl\dwm.exe	savesRefRuntimebrokersvcwinIntoruntime.exe

Drops file in Program Files directory 2 IoCs

Processes:

savesRefRuntimebrokersvcwinIntoruntime.exe

description	ioc	process
File created	C:\Program Files\Google\conhost.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
File created	C:\Program Files\Google\088424020bedd6b28ac7fd22ee35dcd7322895ce	savesRefRuntimebrokersvcwinIntoruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1660 schtasks.exe
1888 schtasks.exe
1456 schtasks.exe
932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exe

pid process

268 savesRefRuntimebrokersvcwinIntoruntime.exe
1656 winlogon.exe
1656 winlogon.exe
1656 winlogon.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

1656 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 268 savesRefRuntimebrokersvcwinIntoruntime.exe
Token: SeDebugPrivilege 1656 winlogon.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winlogon.exe

pid process

1656 winlogon.exe

pid	process
1660	schtasks.exe
1888	schtasks.exe
1456	schtasks.exe
932	schtasks.exe

pid	process
268	savesRefRuntimebrokersvcwinIntoruntime.exe
1656	winlogon.exe
1656	winlogon.exe
1656	winlogon.exe

pid	process
1656	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	268	savesRefRuntimebrokersvcwinIntoruntime.exe
Token: SeDebugPrivilege	1656	winlogon.exe

pid	process
1656	winlogon.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

787F845B904FD7FC0F36F5CCAB9691C0.exeWScript.execmd.exesavesRefRuntimebrokersvcwinIntoruntime.exe

description	pid	process	target process
PID 1732 wrote to memory of 1800	1732	787F845B904FD7FC0F36F5CCAB9691C0.exe	WScript.exe
PID 1732 wrote to memory of 1800	1732	787F845B904FD7FC0F36F5CCAB9691C0.exe	WScript.exe
PID 1732 wrote to memory of 1800	1732	787F845B904FD7FC0F36F5CCAB9691C0.exe	WScript.exe
PID 1732 wrote to memory of 1800	1732	787F845B904FD7FC0F36F5CCAB9691C0.exe	WScript.exe
PID 1800 wrote to memory of 1316	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1316	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1316	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1316	1800	WScript.exe	cmd.exe
PID 1316 wrote to memory of 268	1316	cmd.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
PID 1316 wrote to memory of 268	1316	cmd.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
PID 1316 wrote to memory of 268	1316	cmd.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
PID 1316 wrote to memory of 268	1316	cmd.exe	savesRefRuntimebrokersvcwinIntoruntime.exe
PID 268 wrote to memory of 1660	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1660	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1660	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1888	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1888	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1888	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1456	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1456	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1456	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 932	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 932	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 932	268	savesRefRuntimebrokersvcwinIntoruntime.exe	schtasks.exe
PID 268 wrote to memory of 1656	268	savesRefRuntimebrokersvcwinIntoruntime.exe	winlogon.exe
PID 268 wrote to memory of 1656	268	savesRefRuntimebrokersvcwinIntoruntime.exe	winlogon.exe
PID 268 wrote to memory of 1656	268	savesRefRuntimebrokersvcwinIntoruntime.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe
"C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
"C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\gpprefcl\dwm.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledeviceapi\WMIADAP.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:932

C:\PerfLogs\Admin\winlogon.exe
"C:\PerfLogs\Admin\winlogon.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\winlogon.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
C:\PerfLogs\Admin\winlogon.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe
MD5
77392f6900492949787a7d7967eb10b6

SHA1
84767159f4baadbf75043355e691877e75fcdf12

SHA256
2e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627

SHA512
8ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5

Download Submit
C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat
MD5
3bb4b3b2af3807680dfa1867b0290279

SHA1
1c13ea22c5b7b084ff2562f2289c222ab0897e93

SHA256
799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5

SHA512
eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b

Download Submit
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
MD5
ed0551481fa342d10d1513feaeaa07f1

SHA1
a7c1effe9f14d07d03d55285896d9ef1c8af62c6

SHA256
1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

SHA512
02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

Download Submit
memory/268-69-0x0000000000000000-mapping.dmp

Download
memory/268-71-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/268-73-0x000000001B090000-0x000000001B092000-memory.dmp

Filesize
8KB

Download
memory/932-77-0x0000000000000000-mapping.dmp

Download
memory/1316-65-0x0000000000000000-mapping.dmp

Download
memory/1456-76-0x0000000000000000-mapping.dmp

Download
memory/1656-86-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1656-87-0x0000000000A20000-0x0000000000A24000-memory.dmp

Filesize
16KB

Download
memory/1656-78-0x0000000000000000-mapping.dmp

Download
memory/1656-91-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1656-90-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/1656-81-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1656-89-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1656-85-0x0000000000420000-0x0000000000425000-memory.dmp

Filesize
20KB

Download
memory/1656-83-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/1656-88-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/1656-84-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1660-74-0x0000000000000000-mapping.dmp

Download
memory/1732-60-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1800-61-0x0000000000000000-mapping.dmp

Download
memory/1888-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads