dcrat | cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68

General

Target

5adfa600_FOCzXIBcJD.exe
Size

1.4MB
MD5

5adfa60026465144e6410fab3f714d2e
SHA1

daa4b6471384b111da3d580f9c41ceabed9dbd15
SHA256

cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68
SHA512

2589ca8deda6fd755bca15dca36339e9d56c9fab18145f3632e440eeaba14f0e400e9f18bf6a0f8471eef76ce98759af9d85c11c1bfce09cf8c50a277406ca19

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1264	schtasks.exe

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe	dcrat
C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exeWmiPrvSE.exe

pid process

864 reviewDriverCrtFontcrtnet.exe
752 WmiPrvSE.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe
672 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
864	reviewDriverCrtFontcrtnet.exe
752	WmiPrvSE.exe

pid	process
672	cmd.exe
672	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\unsecapp\\WmiPrvSE.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\reviewDriverCrt\\taskhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\grb\\cmd.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\Dscpspluginwkr\\WmiPrvSE.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\PeerDist\\taskhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ProgramData\\Mozilla\\updates\\cmd.exe\""	reviewDriverCrtFontcrtnet.exe

Drops file in System32 directory 8 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Windows\System32\wbem\Dscpspluginwkr\24dbde2999530ef5fd907494bc374d663924116c	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\PeerDist\taskhost.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\PeerDist\b75386f1303e64d8139363b71e44ac16341adf4e	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\wbem\unsecapp\WmiPrvSE.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\wbem\unsecapp\24dbde2999530ef5fd907494bc374d663924116c	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\SysWOW64\grb\cmd.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\SysWOW64\grb\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe	reviewDriverCrtFontcrtnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

612 schtasks.exe
928 schtasks.exe
1068 schtasks.exe
696 schtasks.exe
1724 schtasks.exe
1684 schtasks.exe
780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

reviewDriverCrtFontcrtnet.exeWmiPrvSE.exe

pid process

864 reviewDriverCrtFontcrtnet.exe
752 WmiPrvSE.exe
752 WmiPrvSE.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WmiPrvSE.exe

pid process

752 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 864 reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege 752 WmiPrvSE.exe

pid	process
612	schtasks.exe
928	schtasks.exe
1068	schtasks.exe
696	schtasks.exe
1724	schtasks.exe
1684	schtasks.exe
780	schtasks.exe

pid	process
864	reviewDriverCrtFontcrtnet.exe
752	WmiPrvSE.exe
752	WmiPrvSE.exe

pid	process
752	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	864	reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege	752	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5adfa600_FOCzXIBcJD.exeWScript.execmd.exereviewDriverCrtFontcrtnet.exe

description	pid	process	target process
PID 1664 wrote to memory of 2008	1664	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 1664 wrote to memory of 2008	1664	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 1664 wrote to memory of 2008	1664	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 1664 wrote to memory of 2008	1664	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 2008 wrote to memory of 672	2008	WScript.exe	cmd.exe
PID 2008 wrote to memory of 672	2008	WScript.exe	cmd.exe
PID 2008 wrote to memory of 672	2008	WScript.exe	cmd.exe
PID 2008 wrote to memory of 672	2008	WScript.exe	cmd.exe
PID 672 wrote to memory of 864	672	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 672 wrote to memory of 864	672	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 672 wrote to memory of 864	672	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 672 wrote to memory of 864	672	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 864 wrote to memory of 752	864	reviewDriverCrtFontcrtnet.exe	WmiPrvSE.exe
PID 864 wrote to memory of 752	864	reviewDriverCrtFontcrtnet.exe	WmiPrvSE.exe
PID 864 wrote to memory of 752	864	reviewDriverCrtFontcrtnet.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\5adfa600_FOCzXIBcJD.exe
"C:\Users\Admin\AppData\Local\Temp\5adfa600_FOCzXIBcJD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewDriverCrt\GqZ4Z.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\reviewDriverCrt\pFx5CwZioohZPln3.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe
      "C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe
        
        "C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\reviewDriverCrt\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\grb\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\PeerDist\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\unsecapp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\Windows\System32\wbem\Dscpspluginwkr\WmiPrvSE.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\reviewDriverCrt\GqZ4Z.vbe

MD5
d3dbfd5aab30c1b227b55ca29a35d3c1

SHA1
a9fde98b66f84d5f397fd255bba7561623de81ae

SHA256
021991da8cd94174c924b2f333a86891aceabb9daf7c71f86ad38f468d13595d

SHA512
e0eb3a83c997b93f706dcb0491112fbf4af9db3729540fc288d07ba20a7eac7b9512b508121a8d7cfae78ced3c0474feb7c8c1df24d51a97b10c1698e577b0aa

Download Submit
C:\reviewDriverCrt\pFx5CwZioohZPln3.bat

MD5
9e3d0a8b26cd56f528bae72fe15d8b3d

SHA1
ba07c007fe32d8917d71ec92178ebbedda3660b8

SHA256
1d9fbfd732d71dfadcc87f3082a629bb76fdc9b53c1f8d5b0ba244a3753e98b3

SHA512
ae48350bb2eff19a8fdedec36d97ad5de9ff53944d1e3bc77a7ca8e633e371cd7a9bc74be1079a3f05289cd1c8a0931597ab9c76502563e7bbe857fa1ab78078

Download Submit
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
memory/672-65-0x0000000000000000-mapping.dmp

Download
memory/752-74-0x0000000000000000-mapping.dmp

Download
memory/752-77-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/752-79-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/752-80-0x0000000000AB0000-0x0000000000AB5000-memory.dmp

Filesize
20KB

Download
memory/864-71-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/864-73-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download
memory/864-69-0x0000000000000000-mapping.dmp

Download
memory/1664-60-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/2008-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads