dcrat | 75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb

General

Target

Loader.exe
Size

1.7MB
MD5

e44153fbc8eb2869e5eed232cf084427
SHA1

844d785dc829228f34bd4c77c27ce6a87766f287
SHA256

75739212f39d025329e1c4594f8e2b5be07402bef199b342b459d88bfeaf88cb
SHA512

0034dc469c601cb8688241dcfb4afc36761d536d4d252f58083105afc97b9c460f39764cf142cd03f71b008c3391c28fd4585b58502a31919f8735b25692097c

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3876-143-0x000000001B210000-0x000000001B212000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

DCRat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe	dcrat
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe	dcrat
C:\Windows\System32\certmgr\SppExtComObj.exe	dcrat
C:\Windows\System32\certmgr\SppExtComObj.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

DriverBrokernetRuntimebroker.exeSppExtComObj.exe

pid process

2192 DriverBrokernetRuntimebroker.exe
3876 SppExtComObj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

flow	ioc
16	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

DriverBrokernetRuntimebroker.exe

description	ioc	process
File created	C:\Windows\System32\SCardDlg\5b884080fd4f94e2695da25c503f9e33b9605b83	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\certmgr\SppExtComObj.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\certmgr\e1ef82546f0b02b7e974f28047f3788b1128cce1	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\kerberos\lsass.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\kerberos\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\System32\SCardDlg\fontdrvhost.exe	DriverBrokernetRuntimebroker.exe

Drops file in Program Files directory 3 IoCs

Processes:

DriverBrokernetRuntimebroker.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix\OfficeClickToRun.exe	DriverBrokernetRuntimebroker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix\OfficeClickToRun.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix\e6c9b481da804f07baff8eff543b0a1441069b5d	DriverBrokernetRuntimebroker.exe

Drops file in Windows directory 2 IoCs

Processes:

DriverBrokernetRuntimebroker.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb\SearchUI.exe	DriverBrokernetRuntimebroker.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb\dab4d89cac03ec27dbe47b361df763dc3f848f6c	DriverBrokernetRuntimebroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2068 schtasks.exe
3920 schtasks.exe
744 schtasks.exe
3308 schtasks.exe
2988 schtasks.exe
2844 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Loader.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Loader.exe

pid	process
2068	schtasks.exe
3920	schtasks.exe
744	schtasks.exe
3308	schtasks.exe
2988	schtasks.exe
2844	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Loader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DriverBrokernetRuntimebroker.exeSppExtComObj.exepowershell.exe

pid	process
2192	DriverBrokernetRuntimebroker.exe
2192	DriverBrokernetRuntimebroker.exe
2192	DriverBrokernetRuntimebroker.exe
2192	DriverBrokernetRuntimebroker.exe
2192	DriverBrokernetRuntimebroker.exe
3876	SppExtComObj.exe
3876	SppExtComObj.exe
3876	SppExtComObj.exe
3876	SppExtComObj.exe
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

DriverBrokernetRuntimebroker.exeSppExtComObj.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2192	DriverBrokernetRuntimebroker.exe
Token: SeDebugPrivilege	3876	SppExtComObj.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SppExtComObj.exe

pid process

3876 SppExtComObj.exe

pid	process
3876	SppExtComObj.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Loader.exeWScript.execmd.exeDriverBrokernetRuntimebroker.exeSppExtComObj.exe

description	pid	process	target process
PID 808 wrote to memory of 3012	808	Loader.exe	WScript.exe
PID 808 wrote to memory of 3012	808	Loader.exe	WScript.exe
PID 808 wrote to memory of 3012	808	Loader.exe	WScript.exe
PID 3012 wrote to memory of 3592	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 3592	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 3592	3012	WScript.exe	cmd.exe
PID 3592 wrote to memory of 2192	3592	cmd.exe	DriverBrokernetRuntimebroker.exe
PID 3592 wrote to memory of 2192	3592	cmd.exe	DriverBrokernetRuntimebroker.exe
PID 2192 wrote to memory of 2068	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 2068	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 3920	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 3920	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 744	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 744	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 3308	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 3308	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 2988	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 2988	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 2844	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 2844	2192	DriverBrokernetRuntimebroker.exe	schtasks.exe
PID 2192 wrote to memory of 3876	2192	DriverBrokernetRuntimebroker.exe	SppExtComObj.exe
PID 2192 wrote to memory of 3876	2192	DriverBrokernetRuntimebroker.exe	SppExtComObj.exe
PID 3876 wrote to memory of 3884	3876	SppExtComObj.exe	powershell.exe
PID 3876 wrote to memory of 3884	3876	SppExtComObj.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverBrokernet\aoCeVNmnVor99WaOvkXEcZja.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
"C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\msix\OfficeClickToRun.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb\SearchUI.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\certmgr\SppExtComObj.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\kerberos\lsass.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3308

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "DriverBrokernetRuntimebroker" /sc ONLOGON /tr "'C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0\DriverBrokernetRuntimebroker.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2988

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SCardDlg\fontdrvhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\System32\certmgr\SppExtComObj.exe
"C:\Windows\System32\certmgr\SppExtComObj.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
C:\DriverBrokernet\DriverBrokernetRuntimebroker.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
C:\DriverBrokernet\aoCeVNmnVor99WaOvkXEcZja.vbe
MD5
6cc4ceb41085c33ef8eebc512aa98c39

SHA1
7c98a216f9e45037190c2dc20d31502ce830da99

SHA256
a6e78170664f644ddfe80fc6776b13085f990e3e8510ad75205b766030ab19ab

SHA512
76676ccaf93326b90cfde58608923f4133e3b04c71c0a291ca750f78c93dbcc1e7407a25d0745f0caab65c3f2a607d334384351c35f4e5233038b77b485a41c6

Download Submit
C:\DriverBrokernet\dBjdNa8xoJk64QTlSRKrFKa0.bat
MD5
9fc130358cbf74db03aabeeb7854ca6b

SHA1
5e79ca69d45ac96fa3bd23101818c9ce90fb34d8

SHA256
f0e804116bea05f1b89307a228254beab807b53df9f1dd6fae4ce9a360bc2982

SHA512
7d3337304742fa579eef8520439e3f2e516674bde638a2c0ad8c0345f8e4cd1ac2e1aadf69fa3c75f1676adccbd3900d15c6330e5ce71ea44f6de93cf26fef6c

Download Submit
C:\Windows\System32\certmgr\SppExtComObj.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
C:\Windows\System32\certmgr\SppExtComObj.exe
MD5
15be1eb0d4719cd58fd3f16d317a20b8

SHA1
b3472127ebd76e84bb9c6b5378d8e3eed3e185b6

SHA256
66d238bcbe6f39b7b1e04647586e9579ff6fe6464d93125497712e2475fc0440

SHA512
510ae3cb787abade3c6bc482c0548d31f917c9e5daca50af301564c0337dd140b28cdd6d4d38429c7f11ee1b907522764d3acbba3f2886977569704a5ea371ef

Download Submit
memory/744-128-0x0000000000000000-mapping.dmp

Download
memory/2068-126-0x0000000000000000-mapping.dmp

Download
memory/2192-125-0x0000000000920000-0x0000000000922000-memory.dmp

Filesize
8KB

Download
memory/2192-123-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2192-120-0x0000000000000000-mapping.dmp

Download
memory/2844-131-0x0000000000000000-mapping.dmp

Download
memory/2988-130-0x0000000000000000-mapping.dmp

Download
memory/3012-116-0x0000000000000000-mapping.dmp

Download
memory/3308-129-0x0000000000000000-mapping.dmp

Download
memory/3592-119-0x0000000000000000-mapping.dmp

Download
memory/3876-149-0x000000001B8F0000-0x000000001B8F2000-memory.dmp

Filesize
8KB

Download
memory/3876-144-0x000000001B270000-0x000000001B274000-memory.dmp

Filesize
16KB

Download
memory/3876-137-0x000000001B220000-0x000000001B222000-memory.dmp

Filesize
8KB

Download
memory/3876-138-0x0000000002790000-0x0000000002796000-memory.dmp

Filesize
24KB

Download
memory/3876-139-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3876-140-0x00000000027B0000-0x00000000027B7000-memory.dmp

Filesize
28KB

Download
memory/3876-141-0x00000000027C0000-0x00000000027C7000-memory.dmp

Filesize
28KB

Download
memory/3876-142-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/3876-143-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download
memory/3876-161-0x000000001B222000-0x000000001B224000-memory.dmp

Filesize
8KB

Download
memory/3876-145-0x000000001B280000-0x000000001B287000-memory.dmp

Filesize
28KB

Download
memory/3876-132-0x0000000000000000-mapping.dmp

Download
memory/3876-147-0x000000001B290000-0x000000001B292000-memory.dmp

Filesize
8KB

Download
memory/3876-148-0x000000001B8E0000-0x000000001B8E2000-memory.dmp

Filesize
8KB

Download
memory/3876-164-0x000000001B225000-0x000000001B227000-memory.dmp

Filesize
8KB

Download
memory/3876-150-0x000000001D040000-0x000000001D041000-memory.dmp

Filesize
4KB

Download
memory/3876-162-0x000000001B224000-0x000000001B225000-memory.dmp

Filesize
4KB

Download
memory/3884-146-0x0000000000000000-mapping.dmp

Download
memory/3884-158-0x00000274E77B0000-0x00000274E77B1000-memory.dmp

Filesize
4KB

Download
memory/3884-155-0x00000274E74B0000-0x00000274E74B1000-memory.dmp

Filesize
4KB

Download
memory/3884-163-0x00000274E7520000-0x00000274E7522000-memory.dmp

Filesize
8KB

Download
memory/3884-165-0x00000274E7523000-0x00000274E7525000-memory.dmp

Filesize
8KB

Download
memory/3884-186-0x00000274E7526000-0x00000274E7528000-memory.dmp

Filesize
8KB

Download
memory/3920-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads