dcrat | cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68

General

Target

5adfa600_FOCzXIBcJD.exe
Size

1.4MB
MD5

5adfa60026465144e6410fab3f714d2e
SHA1

daa4b6471384b111da3d580f9c41ceabed9dbd15
SHA256

cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68
SHA512

2589ca8deda6fd755bca15dca36339e9d56c9fab18145f3632e440eeaba14f0e400e9f18bf6a0f8471eef76ce98759af9d85c11c1bfce09cf8c50a277406ca19

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	3468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3468	schtasks.exe

DCRat Payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
C:\Program Files\Windows Defender\Offline\dllhost.exe	dcrat
C:\Program Files\Windows Defender\Offline\dllhost.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exedllhost.exe

pid process

3180 reviewDriverCrtFontcrtnet.exe
1012 dllhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3180	reviewDriverCrtFontcrtnet.exe
1012	dllhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\Offline\\dllhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\reviewDriverCrt\\OfficeClickToRun.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\pcaui\\dllhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Boot\\nb-NO\\conhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\tetheringservice\\RuntimeBroker.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\sihost\\SppExtComObj.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\resources\\ShellExperienceHost.exe\""	reviewDriverCrtFontcrtnet.exe

Drops file in System32 directory 7 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Windows\System32\sihost\SppExtComObj.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\sihost\e1ef82546f0b02b7e974f28047f3788b1128cce1	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\pcaui\dllhost.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\pcaui\5940a34987c99120d96dace90a3f93f329dcad63	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\tetheringservice\RuntimeBroker.exe	reviewDriverCrtFontcrtnet.exe
File opened for modification	C:\Windows\System32\tetheringservice\RuntimeBroker.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\tetheringservice\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	reviewDriverCrtFontcrtnet.exe

Drops file in Program Files directory 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\Offline\dllhost.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Program Files\Windows Defender\Offline\5940a34987c99120d96dace90a3f93f329dcad63	reviewDriverCrtFontcrtnet.exe

Drops file in Windows directory 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f	reviewDriverCrtFontcrtnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3752 schtasks.exe
2836 schtasks.exe
672 schtasks.exe
2260 schtasks.exe
3848 schtasks.exe
2868 schtasks.exe
4056 schtasks.exe
1856 schtasks.exe

pid	process
3752	schtasks.exe
2836	schtasks.exe
672	schtasks.exe
2260	schtasks.exe
3848	schtasks.exe
2868	schtasks.exe
4056	schtasks.exe
1856	schtasks.exe

Modifies registry class 2 IoCs

Processes:

5adfa600_FOCzXIBcJD.exereviewDriverCrtFontcrtnet.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	5adfa600_FOCzXIBcJD.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	reviewDriverCrtFontcrtnet.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

reviewDriverCrtFontcrtnet.exedllhost.exe

pid process

3180 reviewDriverCrtFontcrtnet.exe
1012 dllhost.exe
1012 dllhost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

1012 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exedllhost.exe

description pid process

Token: SeDebugPrivilege 3180 reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege 1012 dllhost.exe

pid	process
3180	reviewDriverCrtFontcrtnet.exe
1012	dllhost.exe
1012	dllhost.exe

pid	process
1012	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	3180	reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege	1012	dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5adfa600_FOCzXIBcJD.exeWScript.execmd.exereviewDriverCrtFontcrtnet.execmd.exe

description	pid	process	target process
PID 672 wrote to memory of 4024	672	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 672 wrote to memory of 4024	672	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 672 wrote to memory of 4024	672	5adfa600_FOCzXIBcJD.exe	WScript.exe
PID 4024 wrote to memory of 2172	4024	WScript.exe	cmd.exe
PID 4024 wrote to memory of 2172	4024	WScript.exe	cmd.exe
PID 4024 wrote to memory of 2172	4024	WScript.exe	cmd.exe
PID 2172 wrote to memory of 3180	2172	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 2172 wrote to memory of 3180	2172	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 3180 wrote to memory of 2300	3180	reviewDriverCrtFontcrtnet.exe	cmd.exe
PID 3180 wrote to memory of 2300	3180	reviewDriverCrtFontcrtnet.exe	cmd.exe
PID 2300 wrote to memory of 4084	2300	cmd.exe	chcp.com
PID 2300 wrote to memory of 4084	2300	cmd.exe	chcp.com
PID 2300 wrote to memory of 3940	2300	cmd.exe	w32tm.exe
PID 2300 wrote to memory of 3940	2300	cmd.exe	w32tm.exe
PID 2300 wrote to memory of 1012	2300	cmd.exe	dllhost.exe
PID 2300 wrote to memory of 1012	2300	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\5adfa600_FOCzXIBcJD.exe
"C:\Users\Admin\AppData\Local\Temp\5adfa600_FOCzXIBcJD.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewDriverCrt\GqZ4Z.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewDriverCrt\pFx5CwZioohZPln3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe
      "C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\217TTGkdJh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4084
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3940
      - C:\Program Files\Windows Defender\Offline\dllhost.exe
        
        "C:\Program Files\Windows Defender\Offline\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\tetheringservice\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\sihost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\reviewDriverCrt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\pcaui\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Boot\nb-NO\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\Offline\dllhost.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\Program Files\Windows Defender\Offline\dllhost.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\Users\Admin\AppData\Local\Temp\217TTGkdJh.bat

MD5
25b320fb9ead1d9970ed1e19a7920c06

SHA1
ea64469fa6465deef9f2142933775383079aa1ed

SHA256
02a46c8e50b2444e111fcc0062a390b82bdc49dda83aeafb75f08ef43f231d7f

SHA512
3b9c39680f20d0d5270b41040106304ac5ca6801fd871fe0c3f8c00cedda3647724e60e20ee3e0094e602bf63607b6eedc0ed9a5c3fbffe8fbe42f08237849bd

Download Submit
C:\reviewDriverCrt\GqZ4Z.vbe

MD5
d3dbfd5aab30c1b227b55ca29a35d3c1

SHA1
a9fde98b66f84d5f397fd255bba7561623de81ae

SHA256
021991da8cd94174c924b2f333a86891aceabb9daf7c71f86ad38f468d13595d

SHA512
e0eb3a83c997b93f706dcb0491112fbf4af9db3729540fc288d07ba20a7eac7b9512b508121a8d7cfae78ced3c0474feb7c8c1df24d51a97b10c1698e577b0aa

Download Submit
C:\reviewDriverCrt\pFx5CwZioohZPln3.bat

MD5
9e3d0a8b26cd56f528bae72fe15d8b3d

SHA1
ba07c007fe32d8917d71ec92178ebbedda3660b8

SHA256
1d9fbfd732d71dfadcc87f3082a629bb76fdc9b53c1f8d5b0ba244a3753e98b3

SHA512
ae48350bb2eff19a8fdedec36d97ad5de9ff53944d1e3bc77a7ca8e633e371cd7a9bc74be1079a3f05289cd1c8a0931597ab9c76502563e7bbe857fa1ab78078

Download Submit
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
memory/1012-136-0x00000000006B0000-0x00000000006B5000-memory.dmp

Filesize
20KB

Download
memory/1012-135-0x000000001AE50000-0x000000001AE52000-memory.dmp

Filesize
8KB

Download
memory/1012-130-0x0000000000000000-mapping.dmp

Download
memory/2172-119-0x0000000000000000-mapping.dmp

Download
memory/2300-126-0x0000000000000000-mapping.dmp

Download
memory/3180-125-0x0000000000D40000-0x0000000000D42000-memory.dmp

Filesize
8KB

Download
memory/3180-123-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3180-120-0x0000000000000000-mapping.dmp

Download
memory/3940-129-0x0000000000000000-mapping.dmp

Download
memory/4024-116-0x0000000000000000-mapping.dmp

Download
memory/4084-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads