dcrat | 493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f

General

Target

ab7fbb991d61dcb9affcb581c459e9d3.exe
Size

2.3MB
MD5

ab7fbb991d61dcb9affcb581c459e9d3
SHA1

abe33bd69ac60e2a0b06ed8201d41fb430ff518c
SHA256

493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f
SHA512

edca9ae34af65a69c7b157adfcc17579e6cd2bfe80aef9c05cb7c1534d49992e234ba43ba76987d6d22d020cf47e34e32c2c600b09df1ff49f1055a0d7e0b5cb

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeab7fbb991d61dcb9affcb581c459e9d3.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
972	schtasks.exe
1924	schtasks.exe
360	schtasks.exe
1612	schtasks.exe
1048	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\0d211b22-5878-11ec-a979-5e852a8e65ec\\smss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
1736	schtasks.exe
1732	schtasks.exe
1792	schtasks.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1432	schtasks.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\csrss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\iscsiexe\\csrss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wpcuninst\\WmiPrvSE.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\csrss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\0d211b22-5878-11ec-a979-5e852a8e65ec\\smss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\control\\wininit.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab7fbb991d61dcb9affcb581c459e9d3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20211208-150211-0\\ab7fbb991d61dcb9affcb581c459e9d3.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe

Drops file in System32 directory 6 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
File created	C:\Windows\System32\control\wininit.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\control\56085415360792	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\iscsiexe\csrss.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\iscsiexe\886983d96e3d3e	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\wbem\wpcuninst\WmiPrvSE.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\wbem\wpcuninst\24dbde2999530e	ab7fbb991d61dcb9affcb581c459e9d3.exe

Drops file in Program Files directory 2 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\886983d96e3d3e	ab7fbb991d61dcb9affcb581c459e9d3.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1064 956 WerFault.exe ab7fbb991d61dcb9affcb581c459e9d3.exe
1908 972 WerFault.exe schtasks.exe
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1736 schtasks.exe
1732 schtasks.exe
1792 schtasks.exe
1612 schtasks.exe
1048 schtasks.exe
972 schtasks.exe
1924 schtasks.exe
360 schtasks.exe

pid	pid_target	process	target process
1064	956	WerFault.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
1908	972	WerFault.exe	schtasks.exe

pid	process
1736	schtasks.exe
1732	schtasks.exe
1792	schtasks.exe
1612	schtasks.exe
1048	schtasks.exe
972	schtasks.exe
1924	schtasks.exe
360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exeWerFault.exe

pid	process
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
956	ab7fbb991d61dcb9affcb581c459e9d3.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe
1064	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 956 ab7fbb991d61dcb9affcb581c459e9d3.exe
Token: SeDebugPrivilege 1064 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	956	ab7fbb991d61dcb9affcb581c459e9d3.exe
Token: SeDebugPrivilege	1064	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exeschtasks.exe

description	pid	process	target process
PID 956 wrote to memory of 1064	956	ab7fbb991d61dcb9affcb581c459e9d3.exe	WerFault.exe
PID 956 wrote to memory of 1064	956	ab7fbb991d61dcb9affcb581c459e9d3.exe	WerFault.exe
PID 956 wrote to memory of 1064	956	ab7fbb991d61dcb9affcb581c459e9d3.exe	WerFault.exe
PID 972 wrote to memory of 1908	972	schtasks.exe	WerFault.exe
PID 972 wrote to memory of 1908	972	schtasks.exe	WerFault.exe
PID 972 wrote to memory of 1908	972	schtasks.exe	WerFault.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe

C:\Users\Admin\AppData\Local\Temp\ab7fbb991d61dcb9affcb581c459e9d3.exe
"C:\Users\Admin\AppData\Local\Temp\ab7fbb991d61dcb9affcb581c459e9d3.exe"
1⤵
- DcRat
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 956 -s 1232
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\0d211b22-5878-11ec-a979-5e852a8e65ec\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 972 -s 244
2⤵
- Program crash
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\control\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab7fbb991d61dcb9affcb581c459e9d3" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-150211-0\ab7fbb991d61dcb9affcb581c459e9d3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iscsiexe\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wpcuninst\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-55-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/956-56-0x0000000000B10000-0x0000000000D6C000-memory.dmp

Filesize
2.4MB

Download
memory/956-57-0x000000001B310000-0x000000001B312000-memory.dmp

Filesize
8KB

Download
memory/956-58-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/956-59-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/956-60-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/956-61-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/956-62-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/956-63-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/956-64-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/956-65-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/956-66-0x000000001B316000-0x000000001B335000-memory.dmp

Filesize
124KB

Download
memory/1064-67-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads