dcrat | b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

General

Target

ba5dc0fc7d1677527cf809bfca28e2b6.exe
Size

1.1MB
MD5

ba5dc0fc7d1677527cf809bfca28e2b6
SHA1

df8452d50e4fa2171379bfd499132a08dd725368
SHA256

b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512

dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4064	schtasks.exe

DCRat Payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\odt\RuntimeBroker.exe	dcrat
C:\odt\RuntimeBroker.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2032 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2032	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\rasmbmgr\\audiodg.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Mirage.Internal\\RuntimeBroker.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Boot\\nb-NO\\wininit.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wshom\\dwm.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\odt\\WmiPrvSE.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Defender\\Offline\\taskhostw.exe\""	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in System32 directory 7 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Windows\System32\wshom\dwm.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File opened for modification	C:\Windows\System32\wshom\dwm.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\wshom\6cb0b6c459d5d3455a3da700e713f2e2529862ff	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\rasmbmgr\audiodg.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\rasmbmgr\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\Windows.Mirage.Internal\RuntimeBroker.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Windows\System32\Windows.Mirage.Internal\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Drops file in Program Files directory 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\Offline\taskhostw.exe	ba5dc0fc7d1677527cf809bfca28e2b6.exe
File created	C:\Program Files (x86)\Windows Defender\Offline\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	ba5dc0fc7d1677527cf809bfca28e2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1488 schtasks.exe
1568 schtasks.exe
1740 schtasks.exe
460 schtasks.exe
396 schtasks.exe
1196 schtasks.exe
1308 schtasks.exe

pid	process
1488	schtasks.exe
1568	schtasks.exe
1740	schtasks.exe
460	schtasks.exe
396	schtasks.exe
1196	schtasks.exe
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exeRuntimeBroker.exe

pid	process
620	ba5dc0fc7d1677527cf809bfca28e2b6.exe
620	ba5dc0fc7d1677527cf809bfca28e2b6.exe
620	ba5dc0fc7d1677527cf809bfca28e2b6.exe
620	ba5dc0fc7d1677527cf809bfca28e2b6.exe
2032	RuntimeBroker.exe
2032	RuntimeBroker.exe
2032	RuntimeBroker.exe
2032	RuntimeBroker.exe
2032	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2032 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege 2032 RuntimeBroker.exe

pid	process
2032	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	620	ba5dc0fc7d1677527cf809bfca28e2b6.exe
Token: SeDebugPrivilege	2032	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ba5dc0fc7d1677527cf809bfca28e2b6.exe

description	pid	process	target process
PID 620 wrote to memory of 2032	620	ba5dc0fc7d1677527cf809bfca28e2b6.exe	RuntimeBroker.exe
PID 620 wrote to memory of 2032	620	ba5dc0fc7d1677527cf809bfca28e2b6.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe
"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\odt\RuntimeBroker.exe
"C:\odt\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wshom\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\rasmbmgr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Mirage.Internal\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Boot\nb-NO\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\RuntimeBroker.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
C:\odt\RuntimeBroker.exe
MD5
ba5dc0fc7d1677527cf809bfca28e2b6

SHA1
df8452d50e4fa2171379bfd499132a08dd725368

SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1

SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e

Download Submit
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/620-116-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/2032-117-0x0000000000000000-mapping.dmp

Download
memory/2032-122-0x000000001B802000-0x000000001B803000-memory.dmp

Filesize
4KB

Download
memory/2032-123-0x000000001B803000-0x000000001B804000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads