dcrat | b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d

Resubmissions

25/01/2022, 20:58

220125-zr9txafah2 10

25/01/2022, 05:22

220125-f2kszshddn 10

Analysis

max time kernel
118s
max time network
128s
platform
windows10_x64
resource
win10-en-20211208
submitted
25/01/2022, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5320340037751e10748b6463fab8ee0.exe
Size

2.1MB
MD5

b5320340037751e10748b6463fab8ee0
SHA1

b3e9a125688e9da67708adfcada41bb56de2cd3d
SHA256

b45b4ee4146fc230dc6ea93a1af252314acc9b4adab82f36103e8f782589983d
SHA512

67e3bdc6c8db9ed127dc0a7a0fcb431a7294fd8daf77fe6ce4042a3cb63b9576130f1d3b3aee665dc16c1de4ede96ed7976789e63a4d61178c631d3d76e06138

Score

10^/10

dcrat infostealer persistence rat suricata

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\KBDINBEN\f3b6ecef712a24		b5320340037751e10748b6463fab8ee0.exe
		4028	schtasks.exe
		2828	schtasks.exe
		1536	schtasks.exe
		924	schtasks.exe
File created	C:\Windows\System32\KBDINBEN\spoolsv.exe		b5320340037751e10748b6463fab8ee0.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	spoolsv.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1416	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1416	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1416	schtasks.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1416	schtasks.exe	69

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

Executes dropped EXE 1 IoCs

pid	Process
3196	spoolsv.exe

Deletes itself 1 IoCs

pid	Process
3196	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wlansvc\\RuntimeBroker.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDINBEN\\spoolsv.exe\""	b5320340037751e10748b6463fab8ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\debug\\SearchUI.exe\""	b5320340037751e10748b6463fab8ee0.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\KBDINBEN\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File opened for modification	C:\Windows\System32\KBDINBEN\spoolsv.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\KBDINBEN\f3b6ecef712a24	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\wlansvc\RuntimeBroker.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\System32\wlansvc\9e8d7a4ca61bd9	b5320340037751e10748b6463fab8ee0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\SearchUI.exe	b5320340037751e10748b6463fab8ee0.exe
File created	C:\Windows\debug\dab4d89cac03ec	b5320340037751e10748b6463fab8ee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4028	schtasks.exe
2828	schtasks.exe
1536	schtasks.exe
924	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	b5320340037751e10748b6463fab8ee0.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
736	b5320340037751e10748b6463fab8ee0.exe
736	b5320340037751e10748b6463fab8ee0.exe
736	b5320340037751e10748b6463fab8ee0.exe
1420	powershell.exe
3952	powershell.exe
1900	powershell.exe
776	powershell.exe
4012	powershell.exe
4012	powershell.exe
1900	powershell.exe
1420	powershell.exe
3952	powershell.exe
776	powershell.exe
4012	powershell.exe
1420	powershell.exe
1900	powershell.exe
3952	powershell.exe
776	powershell.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe
3196	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	b5320340037751e10748b6463fab8ee0.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	1900	powershell.exe
Token: SeSecurityPrivilege	1900	powershell.exe
Token: SeTakeOwnershipPrivilege	1900	powershell.exe
Token: SeLoadDriverPrivilege	1900	powershell.exe
Token: SeSystemProfilePrivilege	1900	powershell.exe
Token: SeSystemtimePrivilege	1900	powershell.exe
Token: SeProfSingleProcessPrivilege	1900	powershell.exe
Token: SeIncBasePriorityPrivilege	1900	powershell.exe
Token: SeCreatePagefilePrivilege	1900	powershell.exe
Token: SeBackupPrivilege	1900	powershell.exe
Token: SeRestorePrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeSystemEnvironmentPrivilege	1900	powershell.exe
Token: SeRemoteShutdownPrivilege	1900	powershell.exe
Token: SeUndockPrivilege	1900	powershell.exe
Token: SeManageVolumePrivilege	1900	powershell.exe
Token: 33	1900	powershell.exe
Token: 34	1900	powershell.exe
Token: 35	1900	powershell.exe
Token: 36	1900	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeSystemEnvironmentPrivilege	776	powershell.exe
Token: SeRemoteShutdownPrivilege	776	powershell.exe
Token: SeUndockPrivilege	776	powershell.exe
Token: SeManageVolumePrivilege	776	powershell.exe
Token: 33	776	powershell.exe
Token: 34	776	powershell.exe
Token: 35	776	powershell.exe
Token: 36	776	powershell.exe
Token: SeIncreaseQuotaPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	3952	powershell.exe
Token: SeLoadDriverPrivilege	3952	powershell.exe
Token: SeSystemProfilePrivilege	3952	powershell.exe
Token: SeSystemtimePrivilege	3952	powershell.exe
Token: SeProfSingleProcessPrivilege	3952	powershell.exe
Token: SeIncBasePriorityPrivilege	3952	powershell.exe
Token: SeCreatePagefilePrivilege	3952	powershell.exe
Token: SeBackupPrivilege	3952	powershell.exe
Token: SeRestorePrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1420	736	b5320340037751e10748b6463fab8ee0.exe	74
PID 736 wrote to memory of 1420	736	b5320340037751e10748b6463fab8ee0.exe	74
PID 736 wrote to memory of 3952	736	b5320340037751e10748b6463fab8ee0.exe	83
PID 736 wrote to memory of 3952	736	b5320340037751e10748b6463fab8ee0.exe	83
PID 736 wrote to memory of 776	736	b5320340037751e10748b6463fab8ee0.exe	82
PID 736 wrote to memory of 776	736	b5320340037751e10748b6463fab8ee0.exe	82
PID 736 wrote to memory of 4012	736	b5320340037751e10748b6463fab8ee0.exe	81
PID 736 wrote to memory of 4012	736	b5320340037751e10748b6463fab8ee0.exe	81
PID 736 wrote to memory of 1900	736	b5320340037751e10748b6463fab8ee0.exe	80
PID 736 wrote to memory of 1900	736	b5320340037751e10748b6463fab8ee0.exe	80
PID 736 wrote to memory of 772	736	b5320340037751e10748b6463fab8ee0.exe	84
PID 736 wrote to memory of 772	736	b5320340037751e10748b6463fab8ee0.exe	84
PID 772 wrote to memory of 2104	772	cmd.exe	86
PID 772 wrote to memory of 2104	772	cmd.exe	86
PID 772 wrote to memory of 3196	772	cmd.exe	88
PID 772 wrote to memory of 3196	772	cmd.exe	88
PID 3196 wrote to memory of 1684	3196	spoolsv.exe	91
PID 3196 wrote to memory of 1684	3196	spoolsv.exe	91
PID 3196 wrote to memory of 3544	3196	spoolsv.exe	93
PID 3196 wrote to memory of 3544	3196	spoolsv.exe	93
PID 3196 wrote to memory of 3604	3196	spoolsv.exe	95
PID 3196 wrote to memory of 3604	3196	spoolsv.exe	95
PID 3196 wrote to memory of 684	3196	spoolsv.exe	97
PID 3196 wrote to memory of 684	3196	spoolsv.exe	97
PID 3196 wrote to memory of 3952	3196	spoolsv.exe	99
PID 3196 wrote to memory of 3952	3196	spoolsv.exe	99
PID 3196 wrote to memory of 1216	3196	spoolsv.exe	101
PID 3196 wrote to memory of 1216	3196	spoolsv.exe	101
PID 3196 wrote to memory of 2600	3196	spoolsv.exe	103
PID 3196 wrote to memory of 2600	3196	spoolsv.exe	103
PID 2600 wrote to memory of 4024	2600	cmd.exe	105
PID 2600 wrote to memory of 4024	2600	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe
"C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b5320340037751e10748b6463fab8ee0.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wlansvc\RuntimeBroker.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\SearchUI.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDINBEN\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUvcrzcpRj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2104
- - C:\Windows\System32\KBDINBEN\spoolsv.exe
    "C:\Windows\System32\KBDINBEN\spoolsv.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "b5320340037751e10748b6463fab8ee0" /f
      4⤵
      PID:1684
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "spoolsv" /f
      4⤵
      PID:3544
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "SearchUI" /f
      4⤵
      PID:3604
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "RuntimeBroker" /f
      4⤵
      PID:684
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "dllhost" /f
      4⤵
      PID:3952
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /Delete /tn "spoolsv" /f
      4⤵
      PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDINBEN\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\debug\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wlansvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-115-0x0000000000730000-0x000000000095C000-memory.dmp

Filesize
2.2MB

Download
memory/736-124-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/736-123-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/736-122-0x00000000010C0000-0x00000000010CC000-memory.dmp

Filesize
48KB

Download
memory/736-121-0x000000001C3C0000-0x000000001C8E6000-memory.dmp

Filesize
5.1MB

Download
memory/736-120-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/736-119-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/736-118-0x0000000001090000-0x000000000109A000-memory.dmp

Filesize
40KB

Download
memory/736-117-0x000000001B880000-0x000000001B882000-memory.dmp

Filesize
8KB

Download
memory/736-116-0x0000000001040000-0x0000000001096000-memory.dmp

Filesize
344KB

Download
memory/776-158-0x00000250F5900000-0x00000250F5902000-memory.dmp

Filesize
8KB

Download
memory/776-205-0x00000250F5906000-0x00000250F5908000-memory.dmp

Filesize
8KB

Download
memory/776-159-0x00000250F5903000-0x00000250F5905000-memory.dmp

Filesize
8KB

Download
memory/1420-201-0x000001D63E346000-0x000001D63E348000-memory.dmp

Filesize
8KB

Download
memory/1420-152-0x000001D63E343000-0x000001D63E345000-memory.dmp

Filesize
8KB

Download
memory/1420-142-0x000001D63E340000-0x000001D63E342000-memory.dmp

Filesize
8KB

Download
memory/1900-199-0x00000173F8A56000-0x00000173F8A58000-memory.dmp

Filesize
8KB

Download
memory/1900-156-0x00000173F8A53000-0x00000173F8A55000-memory.dmp

Filesize
8KB

Download
memory/1900-155-0x00000173F8A50000-0x00000173F8A52000-memory.dmp

Filesize
8KB

Download
memory/3196-329-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/3196-330-0x000000001BCE0000-0x000000001BEA2000-memory.dmp

Filesize
1.8MB

Download
memory/3952-145-0x0000022DFBA00000-0x0000022DFBA02000-memory.dmp

Filesize
8KB

Download
memory/3952-203-0x0000022DFBA06000-0x0000022DFBA08000-memory.dmp

Filesize
8KB

Download
memory/3952-160-0x0000022DFB9C0000-0x0000022DFB9E2000-memory.dmp

Filesize
136KB

Download
memory/3952-154-0x0000022DFBA03000-0x0000022DFBA05000-memory.dmp

Filesize
8KB

Download
memory/4012-200-0x0000026FDD636000-0x0000026FDD638000-memory.dmp

Filesize
8KB

Download
memory/4012-165-0x0000026FF7A10000-0x0000026FF7A86000-memory.dmp

Filesize
472KB

Download
memory/4012-157-0x0000026FDD633000-0x0000026FDD635000-memory.dmp

Filesize
8KB

Download
memory/4012-150-0x0000026FDD630000-0x0000026FDD632000-memory.dmp

Filesize
8KB

Download