dcrat | b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

General

Target

ba5dc0fc7d1677527cf809bfca28e2b6.exe
Size

1.1MB
MD5

ba5dc0fc7d1677527cf809bfca28e2b6
SHA1

df8452d50e4fa2171379bfd499132a08dd725368
SHA256

b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512

dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1816	schtasks.exe

DCRat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\System32\wlansec\dwm.exe	dcrat
C:\Windows\System32\wlansec\dwm.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

516 dwm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
516	dwm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\security\\database\\winlogon.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wlansec\\dwm.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wscinterop\\wininit.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in System32 directory 5 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\System32\wlansec\dwm.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File opened for modification	C:\Windows\System32\wlansec\dwm.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wlansec\6cb0b6c459d5d3455a3da700e713f2e2529862ff	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wscinterop\wininit.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wscinterop\560854153607923c4c5f107085a7db67be01f252	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in Windows directory 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\security\database\winlogon.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\security\database\cc11b995f2a76da408ea6a601e682e64743153ad	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1592 schtasks.exe
760 schtasks.exe
524 schtasks.exe
472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exedwm.exe

pid process

1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe
516 dwm.exe
516 dwm.exe
516 dwm.exe
516 dwm.exe
516 dwm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

516 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exedwm.exe

description pid process

Token: SeDebugPrivilege 1368 ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege 516 dwm.exe

pid	process
1592	schtasks.exe
760	schtasks.exe
524	schtasks.exe
472	schtasks.exe

pid	process
1368	ba5dc0fc7d1677527cf809bfca28e2b6.exe
516	dwm.exe
516	dwm.exe
516	dwm.exe
516	dwm.exe
516	dwm.exe

pid	process
516	dwm.exe

description	pid	process
Token: SeDebugPrivilege	1368	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege	516	dwm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 608	1368	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 1368 wrote to memory of 608	1368	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 1368 wrote to memory of 608	1368	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 608 wrote to memory of 1420	608	cmd.exe	chcp.com
PID 608 wrote to memory of 1420	608	cmd.exe	chcp.com
PID 608 wrote to memory of 1420	608	cmd.exe	chcp.com
PID 608 wrote to memory of 1168	608	cmd.exe	w32tm.exe
PID 608 wrote to memory of 1168	608	cmd.exe	w32tm.exe
PID 608 wrote to memory of 1168	608	cmd.exe	w32tm.exe
PID 608 wrote to memory of 516	608	cmd.exe	dwm.exe
PID 608 wrote to memory of 516	608	cmd.exe	dwm.exe
PID 608 wrote to memory of 516	608	cmd.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe
"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FkCsdQ3XkE.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1420

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1168

C:\Windows\System32\wlansec\dwm.exe
"C:\Windows\System32\wlansec\dwm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wlansec\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wscinterop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\database\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FkCsdQ3XkE.bat
MD5
d090e0112b4f82dd11302da5bf8cf386

SHA1
db2cb40b7438fd7287516c0772c00d91d47f1c45

SHA256
b3c919a97a5092d3eab36cb605f127e2e40fc2c6730828586250a9a696bcfe04

SHA512
75fac78146a388a71ffd9e69a3d1e49deca9c6948feb0c2b0be6cb2fa001df7d76910144d23d0652c3ef982dab0a97cfb4285b6665a082b07e21df62d45665ee

Download Submit
C:\Windows\System32\wlansec\dwm.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
C:\Windows\System32\wlansec\dwm.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
memory/516-62-0x0000000000000000-mapping.dmp

Download
memory/516-64-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/516-66-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/608-57-0x0000000000000000-mapping.dmp

Download
memory/1168-60-0x0000000000000000-mapping.dmp

Download
memory/1368-54-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1368-56-0x000000001AE20000-0x000000001AE22000-memory.dmp

Filesize
8KB

Download
memory/1420-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads