dcrat | 67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

Analysis

max time kernel
63s
max time network
100s
platform
windows7_x64
resource
win7v20210410
submitted
30-07-2021 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222-main/Build.exe
Size

1.8MB
MD5

9886d20dd6f3d896861cc5f8ea0ca84b
SHA1

96ab3affa0279d5795a29f3e1ecae37546b8bb11
SHA256

56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
SHA512

02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Connections Rontime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\", \"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\", \"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\dimsjob\\lsass.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\iscsilog\\conhost.exe\""	Connections Rontime Broker.exe

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe	dcrat
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe	dcrat
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe	dcrat
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe	dcrat
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe	dcrat
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

Connections Rontime Broker.exeWmiPrvSE.exe

pid process

1040 Connections Rontime Broker.exe
824 WmiPrvSE.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

268 cmd.exe
268 cmd.exe

pid	process
1040	Connections Rontime Broker.exe
824	WmiPrvSE.exe

pid	process
268	cmd.exe
268	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Connections Rontime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\dimsjob\\lsass.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\dimsjob\\lsass.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\WmiPrvSE.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\iscsilog\\conhost.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\iscsilog\\conhost.exe\""	Connections Rontime Broker.exe

Drops file in System32 directory 4 IoCs

Processes:

Connections Rontime Broker.exe

description	ioc	process
File created	C:\Windows\System32\iscsilog\conhost.exe	Connections Rontime Broker.exe
File created	C:\Windows\System32\iscsilog\088424020bedd6b28ac7fd22ee35dcd7322895ce	Connections Rontime Broker.exe
File created	C:\Windows\System32\dimsjob\lsass.exe	Connections Rontime Broker.exe
File created	C:\Windows\System32\dimsjob\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	Connections Rontime Broker.exe

Drops file in Program Files directory 3 IoCs

Processes:

Connections Rontime Broker.exe

description	ioc	process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\24dbde2999530ef5fd907494bc374d663924116c	Connections Rontime Broker.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe	Connections Rontime Broker.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe	Connections Rontime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

572 schtasks.exe
1932 schtasks.exe
820 schtasks.exe
1388 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Connections Rontime Broker.exeWmiPrvSE.exe

pid process

1040 Connections Rontime Broker.exe
824 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Connections Rontime Broker.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 1040 Connections Rontime Broker.exe
Token: SeDebugPrivilege 824 WmiPrvSE.exe

pid	process
572	schtasks.exe
1932	schtasks.exe
820	schtasks.exe
1388	schtasks.exe

pid	process
1040	Connections Rontime Broker.exe
824	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1040	Connections Rontime Broker.exe
Token: SeDebugPrivilege	824	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Build.exeWScript.execmd.exeConnections Rontime Broker.exe

description	pid	process	target process
PID 1632 wrote to memory of 1280	1632	Build.exe	WScript.exe
PID 1632 wrote to memory of 1280	1632	Build.exe	WScript.exe
PID 1632 wrote to memory of 1280	1632	Build.exe	WScript.exe
PID 1632 wrote to memory of 1280	1632	Build.exe	WScript.exe
PID 1280 wrote to memory of 268	1280	WScript.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	WScript.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	WScript.exe	cmd.exe
PID 1280 wrote to memory of 268	1280	WScript.exe	cmd.exe
PID 268 wrote to memory of 1040	268	cmd.exe	Connections Rontime Broker.exe
PID 268 wrote to memory of 1040	268	cmd.exe	Connections Rontime Broker.exe
PID 268 wrote to memory of 1040	268	cmd.exe	Connections Rontime Broker.exe
PID 268 wrote to memory of 1040	268	cmd.exe	Connections Rontime Broker.exe
PID 1040 wrote to memory of 572	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 572	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 572	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1932	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1932	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1932	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 820	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 820	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 820	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1388	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1388	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 1388	1040	Connections Rontime Broker.exe	schtasks.exe
PID 1040 wrote to memory of 824	1040	Connections Rontime Broker.exe	WmiPrvSE.exe
PID 1040 wrote to memory of 824	1040	Connections Rontime Broker.exe	WmiPrvSE.exe
PID 1040 wrote to memory of 824	1040	Connections Rontime Broker.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
"C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WmiPrvSE.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\iscsilog\conhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\lsass.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1388

C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
"C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\WmiPrvSE.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
MD5
559cdf34199c7353804d3d3550ccc3a3

SHA1
43da9eae85816d75b10f537452a9b5c2ef9ae1f6

SHA256
c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108

SHA512
a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
MD5
d5f5523af702e22a702e95fadf058335

SHA1
e495f695eed69a9af60dd6303b20ce0df82cadbb

SHA256
5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3

SHA512
f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6

Download Submit
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/572-74-0x0000000000000000-mapping.dmp

Download
memory/820-76-0x0000000000000000-mapping.dmp

Download
memory/824-81-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/824-78-0x0000000000000000-mapping.dmp

Download
memory/824-83-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/1040-71-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1040-73-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/1040-69-0x0000000000000000-mapping.dmp

Download
memory/1280-61-0x0000000000000000-mapping.dmp

Download
memory/1388-77-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1932-75-0x0000000000000000-mapping.dmp

Download