dcrat | 785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee

General

Target

ad7507c90821598ae3ed6e8b6c3fdb36.exe
Size

1.3MB
MD5

ad7507c90821598ae3ed6e8b6c3fdb36
SHA1

b94839035eb055acacef724166489e2c0cb60eaa
SHA256

785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee
SHA512

ca43450c10e387a95ad6763e2f888096d7f87dc274bdb3f6720e4bc7fa3d214af72bc10a47f7ac2f00b44823511709ed1ad0f86201122bae3707c23463dff179

Score

10^/10

dcrat infostealer persistence rat spyware stealer suricata

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1844	schtasks.exe
		1740	schtasks.exe
		1888	schtasks.exe
		760	schtasks.exe
File created	C:\Windows\System32\lpk\conhost.exe		DriversavesRuntimecommonReviewrefbroker.exe
		1352	schtasks.exe
		996	schtasks.exe
		1464	schtasks.exe
		2028	schtasks.exe
		1472	schtasks.exe
		1580	schtasks.exe
File created	C:\Windows\System32\lpk\088424020bedd6		DriversavesRuntimecommonReviewrefbroker.exe

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1492	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1492	schtasks.exe	32

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

Executes dropped EXE 2 IoCs

pid	Process
1516	DriversavesRuntimecommonReviewrefbroker.exe
428	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	cmd.exe
2016	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDSOREX\\spoolsv.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\networkexplorer\\taskhost.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\SensApi\\cmd.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\comcat\\sppsvc.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\iassvcs\\csrss.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Mail\\de-DE\\conhost.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\cic\\cmd.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\ScavengeSpace\\lsm.exe\""	DriversavesRuntimecommonReviewrefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\lpk\\conhost.exe\""	DriversavesRuntimecommonReviewrefbroker.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\System32\iassvcs\886983d96e3d3e	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\networkexplorer\b75386f1303e64	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\comcat\sppsvc.exe	DriversavesRuntimecommonReviewrefbroker.exe
File opened for modification	C:\Windows\System32\lpk\conhost.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\iassvcs\csrss.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\networkexplorer\taskhost.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\SysWOW64\SensApi\cmd.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\SysWOW64\cic\cmd.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\ScavengeSpace\lsm.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\comcat\0a1fd5f707cd16	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\SysWOW64\SensApi\ebf1f9fa8afd6d	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\lpk\conhost.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\lpk\088424020bedd6	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\KBDSOREX\spoolsv.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\KBDSOREX\f3b6ecef712a24	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\SysWOW64\cic\ebf1f9fa8afd6d	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Windows\System32\ScavengeSpace\101b941d020240	DriversavesRuntimecommonReviewrefbroker.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\de-DE\conhost.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Program Files\Windows Mail\de-DE\088424020bedd6	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe	DriversavesRuntimecommonReviewrefbroker.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\cc11b995f2a76d	DriversavesRuntimecommonReviewrefbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1580	schtasks.exe
1352	schtasks.exe
1464	schtasks.exe
2028	schtasks.exe
1472	schtasks.exe
760	schtasks.exe
996	schtasks.exe
1844	schtasks.exe
1740	schtasks.exe
1888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
1516	DriversavesRuntimecommonReviewrefbroker.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe
428	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
428	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	DriversavesRuntimecommonReviewrefbroker.exe
Token: SeDebugPrivilege	428	conhost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 268	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	27
PID 1568 wrote to memory of 268	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	27
PID 1568 wrote to memory of 268	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	27
PID 1568 wrote to memory of 268	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	27
PID 1568 wrote to memory of 552	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	28
PID 1568 wrote to memory of 552	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	28
PID 1568 wrote to memory of 552	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	28
PID 1568 wrote to memory of 552	1568	ad7507c90821598ae3ed6e8b6c3fdb36.exe	28
PID 268 wrote to memory of 2016	268	WScript.exe	29
PID 268 wrote to memory of 2016	268	WScript.exe	29
PID 268 wrote to memory of 2016	268	WScript.exe	29
PID 268 wrote to memory of 2016	268	WScript.exe	29
PID 2016 wrote to memory of 1516	2016	cmd.exe	31
PID 2016 wrote to memory of 1516	2016	cmd.exe	31
PID 2016 wrote to memory of 1516	2016	cmd.exe	31
PID 2016 wrote to memory of 1516	2016	cmd.exe	31
PID 1516 wrote to memory of 1368	1516	DriversavesRuntimecommonReviewrefbroker.exe	43
PID 1516 wrote to memory of 1368	1516	DriversavesRuntimecommonReviewrefbroker.exe	43
PID 1516 wrote to memory of 1368	1516	DriversavesRuntimecommonReviewrefbroker.exe	43
PID 1368 wrote to memory of 1468	1368	cmd.exe	45
PID 1368 wrote to memory of 1468	1368	cmd.exe	45
PID 1368 wrote to memory of 1468	1368	cmd.exe	45
PID 1368 wrote to memory of 428	1368	cmd.exe	46
PID 1368 wrote to memory of 428	1368	cmd.exe	46
PID 1368 wrote to memory of 428	1368	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe
"C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\DriversavesRuntimecommon\i8SeDW7.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe
      "C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"
      4⤵
      DcRat
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mCeKmEwry1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1468
      - C:\Program Files\Windows Mail\de-DE\conhost.exe
        
        "C:\Program Files\Windows Mail\de-DE\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\file.vbs"
  2⤵
  PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\lpk\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDSOREX\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\cic\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\ScavengeSpace\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\networkexplorer\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\SensApi\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\comcat\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-72-0x0000000000E00000-0x0000000000EFE000-memory.dmp

Filesize
1016KB

Download
memory/428-73-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/428-74-0x000000001B300000-0x000000001B302000-memory.dmp

Filesize
8KB

Download
memory/1516-66-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/1516-67-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1516-68-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1516-65-0x0000000000250000-0x000000000034E000-memory.dmp

Filesize
1016KB

Download
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads