dcrat | 493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f

General

Target

ab7fbb991d61dcb9affcb581c459e9d3.exe
Size

2.3MB
MD5

ab7fbb991d61dcb9affcb581c459e9d3
SHA1

abe33bd69ac60e2a0b06ed8201d41fb430ff518c
SHA256

493a2547e41f5c448e3638a63a91a3b07950202fb912d187688223eb4081483f
SHA512

edca9ae34af65a69c7b157adfcc17579e6cd2bfe80aef9c05cb7c1534d49992e234ba43ba76987d6d22d020cf47e34e32c2c600b09df1ff49f1055a0d7e0b5cb

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeab7fbb991d61dcb9affcb581c459e9d3.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2832	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7fbb991d61dcb9affcb581c459e9d3.exe
3304	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\taskhostw.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Documents and Settings\\SearchApp.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
4060	schtasks.exe
2808	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.cs-cz\\OfficeClickToRun.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
2984	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\Oracle\\Java\\installcache_x64\\backgroundTaskHost.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
2748	schtasks.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3212	schtasks.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4048 created 1992 4048 WerFault.exe ab7fbb991d61dcb9affcb581c459e9d3.exe
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

description	pid	process	target process
PID 4048 created 1992	4048	WerFault.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\taskhostw.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.cs-cz\\OfficeClickToRun.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Documents and Settings\\SearchApp.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\tracerpt\\taskhostw.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\Oracle\\Java\\installcache_x64\\backgroundTaskHost.exe\""	ab7fbb991d61dcb9affcb581c459e9d3.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe

Drops file in System32 directory 2 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
File created	C:\Windows\System32\tracerpt\ea9f0e6c9e2dcd	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Windows\System32\tracerpt\taskhostw.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe

Drops file in Program Files directory 4 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\ea9f0e6c9e2dcd	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz\OfficeClickToRun.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz\e6c9b481da804f	ab7fbb991d61dcb9affcb581c459e9d3.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3292 1992 WerFault.exe ab7fbb991d61dcb9affcb581c459e9d3.exe

pid	pid_target	process	target process
3292	1992	WerFault.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2832 schtasks.exe
2748 schtasks.exe
2808 schtasks.exe
2984 schtasks.exe
4060 schtasks.exe
3304 schtasks.exe

pid	process
2832	schtasks.exe
2748	schtasks.exe
2808	schtasks.exe
2984	schtasks.exe
4060	schtasks.exe
3304	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exeWerFault.exe

pid	process
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
3292	WerFault.exe
3292	WerFault.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
1992	ab7fbb991d61dcb9affcb581c459e9d3.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1992	ab7fbb991d61dcb9affcb581c459e9d3.exe
Token: SeShutdownPrivilege	3716	svchost.exe
Token: SeCreatePagefilePrivilege	3716	svchost.exe
Token: SeShutdownPrivilege	3716	svchost.exe
Token: SeCreatePagefilePrivilege	3716	svchost.exe
Token: SeShutdownPrivilege	3716	svchost.exe
Token: SeCreatePagefilePrivilege	3716	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 4048 wrote to memory of 1992	4048	WerFault.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe
PID 4048 wrote to memory of 1992	4048	WerFault.exe	ab7fbb991d61dcb9affcb581c459e9d3.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ab7fbb991d61dcb9affcb581c459e9d3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7fbb991d61dcb9affcb581c459e9d3.exe

C:\Users\Admin\AppData\Local\Temp\ab7fbb991d61dcb9affcb581c459e9d3.exe
"C:\Users\Admin\AppData\Local\Temp\ab7fbb991d61dcb9affcb581c459e9d3.exe"
1⤵
- DcRat
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1992 -s 1592
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\installcache_x64\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1992 -ip 1992
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Documents and Settings\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\tracerpt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-130-0x00007FFC07C93000-0x00007FFC07C95000-memory.dmp

Filesize
8KB

Download
memory/1992-131-0x00000000007E0000-0x0000000000A3C000-memory.dmp

Filesize
2.4MB

Download
memory/1992-132-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/1992-133-0x000000001CE40000-0x000000001D368000-memory.dmp

Filesize
5.2MB

Download
memory/1992-135-0x0000000000E84000-0x0000000000E85000-memory.dmp

Filesize
4KB

Download
memory/1992-134-0x0000000000E82000-0x0000000000E84000-memory.dmp

Filesize
8KB

Download
memory/3716-136-0x000001937CF30000-0x000001937CF40000-memory.dmp

Filesize
64KB

Download
memory/3716-137-0x000001937CF90000-0x000001937CFA0000-memory.dmp

Filesize
64KB

Download
memory/3716-138-0x000001937FCB0000-0x000001937FCB4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads