dcrat | b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

General

Target

ba5dc0fc7d1677527cf809bfca28e2b6.exe
Size

1.1MB
MD5

ba5dc0fc7d1677527cf809bfca28e2b6
SHA1

df8452d50e4fa2171379bfd499132a08dd725368
SHA256

b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512

dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2636	schtasks.exe

DCRat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\System32\themeui\dllhost.exe	dcrat
C:\Windows\System32\themeui\dllhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1444 dllhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1444	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\winhlp32\\explorer.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\wininit.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\resources\\ShellExperienceHost.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\fsutilext\\winlogon.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\Wldap32\\winlogon.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\taskkill\\RuntimeBroker.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\spoolsv.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\UevTemplateBaselineGenerator\\audiodg.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\themeui\\dllhost.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in System32 directory 10 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\System32\UevTemplateBaselineGenerator\audiodg.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\fsutilext\winlogon.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\fsutilext\cc11b995f2a76da408ea6a601e682e64743153ad	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\Wldap32\winlogon.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\Wldap32\cc11b995f2a76da408ea6a601e682e64743153ad	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\taskkill\RuntimeBroker.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\taskkill\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\UevTemplateBaselineGenerator\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\themeui\dllhost.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\themeui\5940a34987c99120d96dace90a3f93f329dcad63	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in Program Files directory 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\560854153607923c4c5f107085a7db67be01f252	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in Windows directory 4 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\winhlp32\explorer.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\winhlp32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3648	schtasks.exe
4076	schtasks.exe
3508	schtasks.exe
2252	schtasks.exe
3592	schtasks.exe
868	schtasks.exe
2720	schtasks.exe
1348	schtasks.exe
1912	schtasks.exe

Modifies registry class 1 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exedllhost.exe

pid	process
2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe
2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe
2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe
1444	dllhost.exe
1444	dllhost.exe
1444	dllhost.exe
1444	dllhost.exe
1444	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

1444 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exedllhost.exe

description pid process

Token: SeDebugPrivilege 2116 ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege 1444 dllhost.exe

pid	process
1444	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege	1444	dllhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 1052	2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 2116 wrote to memory of 1052	2116	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 1052 wrote to memory of 3140	1052	cmd.exe	chcp.com
PID 1052 wrote to memory of 3140	1052	cmd.exe	chcp.com
PID 1052 wrote to memory of 2228	1052	cmd.exe	w32tm.exe
PID 1052 wrote to memory of 2228	1052	cmd.exe	w32tm.exe
PID 1052 wrote to memory of 1444	1052	cmd.exe	dllhost.exe
PID 1052 wrote to memory of 1444	1052	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe
"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NeLwPw5PoC.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3140

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2228

C:\Windows\System32\themeui\dllhost.exe
"C:\Windows\System32\themeui\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\winhlp32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\UevTemplateBaselineGenerator\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\themeui\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\fsutilext\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\Wldap32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\taskkill\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NeLwPw5PoC.bat
MD5
c565f88a40c0c61483364d423391e88a

SHA1
4453ed5f5db129a6638c69b8cdbfcf9af5526776

SHA256
309989d4af3201f41a0e3af1811a6971a1dbd52f96cf6a5d4e4461e59fc1db65

SHA512
3a258d235ca92b45030f9a6c44cf13a70a8b5014c8f0bc62052a6427d4b11cd5954aaeb6e73107e556f6be08f9a8582ec339e167572f70e0a1fe2885cd15eb61

Download Submit
C:\Windows\System32\themeui\dllhost.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
C:\Windows\System32\themeui\dllhost.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
memory/1052-118-0x0000000000000000-mapping.dmp

Download
memory/1444-122-0x0000000000000000-mapping.dmp

Download
memory/1444-127-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/2116-115-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2116-117-0x000000001BB10000-0x000000001BB12000-memory.dmp

Filesize
8KB

Download
memory/2228-121-0x0000000000000000-mapping.dmp

Download
memory/3140-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads