dcrat | b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

General

Target

ba5dc0fc7d1677527cf809bfca28e2b6.exe
Size

1.1MB
MD5

ba5dc0fc7d1677527cf809bfca28e2b6
SHA1

df8452d50e4fa2171379bfd499132a08dd725368
SHA256

b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512

dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1552	schtasks.exe

DCRat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Documents and Settings\spoolsv.exe	dcrat
C:\Users\spoolsv.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

1376 spoolsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1376	spoolsv.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\sscore\\spoolsv.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Idle.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\ProgramData\\Microsoft Help\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba5dc0fc7d1677527cf809bfca28e2b6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2ba67d42-8a01-4556-b51e-6d2a52d9fd26\\ba5dc0fc7d1677527cf809bfca28e2b6.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\mfc110kor\\spoolsv.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Links\\explorer.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wsock32\\wininit.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in System32 directory 6 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\System32\sscore\spoolsv.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\sscore\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wsock32\wininit.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wsock32\560854153607923c4c5f107085a7db67be01f252	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\mfc110kor\spoolsv.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\mfc110kor\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
516	schtasks.exe
896	schtasks.exe
1508	schtasks.exe
112	schtasks.exe
1604	schtasks.exe
1876	schtasks.exe
1752	schtasks.exe
1120	schtasks.exe
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exespoolsv.exe

pid process

1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe
1376 spoolsv.exe
1376 spoolsv.exe
1376 spoolsv.exe
1376 spoolsv.exe
1376 spoolsv.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

spoolsv.exe

pid process

1376 spoolsv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 1232 ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege 1376 spoolsv.exe

pid	process
1232	ba5dc0fc7d1677527cf809bfca28e2b6.exe
1376	spoolsv.exe
1376	spoolsv.exe
1376	spoolsv.exe
1376	spoolsv.exe
1376	spoolsv.exe

pid	process
1376	spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1232	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege	1376	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.execmd.exe

description	pid	process	target process
PID 1232 wrote to memory of 304	1232	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 1232 wrote to memory of 304	1232	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 1232 wrote to memory of 304	1232	ba5dc0fc7d1677527cf809bfca28e2b6.exe	cmd.exe
PID 304 wrote to memory of 852	304	cmd.exe	chcp.com
PID 304 wrote to memory of 852	304	cmd.exe	chcp.com
PID 304 wrote to memory of 852	304	cmd.exe	chcp.com
PID 304 wrote to memory of 1888	304	cmd.exe	w32tm.exe
PID 304 wrote to memory of 1888	304	cmd.exe	w32tm.exe
PID 304 wrote to memory of 1888	304	cmd.exe	w32tm.exe
PID 304 wrote to memory of 1376	304	cmd.exe	spoolsv.exe
PID 304 wrote to memory of 1376	304	cmd.exe	spoolsv.exe
PID 304 wrote to memory of 1376	304	cmd.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe
"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UGvHu4zmyf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:852

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1888

C:\Documents and Settings\spoolsv.exe
"C:\Documents and Settings\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2ba67d42-8a01-4556-b51e-6d2a52d9fd26\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\mfc110kor\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\sscore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wsock32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Links\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ba5dc0fc7d1677527cf809bfca28e2b6" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\ba5dc0fc7d1677527cf809bfca28e2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\spoolsv.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGvHu4zmyf.bat
MD5
c924c76b207a8391217662af598973a9

SHA1
f70e59b2523efbde85ca9f33625a65dd993cd37a

SHA256
006b80c3820a9f19fd851b0ac168e7af91f44556c34e5f9902c01b24b4ecb24e

SHA512
6cad305c2c7e1d413ac0980ec7b6cc3cdf5fadf31f9ccb00a992d25e41dc6a0f16bfb03c428edfe9c524312ec4919d0d425f80607c7ff51fdd15b303e6b87327

Download Submit
C:\Users\spoolsv.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
memory/304-56-0x0000000000000000-mapping.dmp

Download
memory/852-58-0x0000000000000000-mapping.dmp

Download
memory/1232-53-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1232-55-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/1376-61-0x0000000000000000-mapping.dmp

Download
memory/1376-63-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1376-65-0x000000001AE10000-0x000000001AE12000-memory.dmp

Filesize
8KB

Download
memory/1888-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads