dcrat | 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941

General

Target

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Size

2.2MB
MD5

7666f4f50e25b9c8af50a605b2292170
SHA1

adef3e910f165eb6071767c7b40fd7cf22452cbd
SHA256

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941
SHA512

6b433ffa42d30003fda168a4754dc4aabeef8309a308625816909d52587148650acb05b5ad73251113d4539f09aa2d015213623ace63aa020cd2841d93ebb988

Score

10^/10

dcrat evasion infostealer rat suricata

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
suricata
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

intosaves.exe

pid process

820 intosaves.exe

pid	process
820	intosaves.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

472 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1596 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

intosaves.exe

pid process

820 intosaves.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

intosaves.exe

description pid process

Token: SeDebugPrivilege 820 intosaves.exe

pid	process
472	cmd.exe

pid	process
1596	reg.exe

pid	process
820	intosaves.exe

description	pid	process
Token: SeDebugPrivilege	820	intosaves.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.execmd.exe

description	pid	process	target process
PID 1868 wrote to memory of 828	1868	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 1868 wrote to memory of 828	1868	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 1868 wrote to memory of 828	1868	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 1868 wrote to memory of 828	1868	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 828 wrote to memory of 472	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 472	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 472	828	WScript.exe	cmd.exe
PID 828 wrote to memory of 472	828	WScript.exe	cmd.exe
PID 472 wrote to memory of 820	472	cmd.exe	intosaves.exe
PID 472 wrote to memory of 820	472	cmd.exe	intosaves.exe
PID 472 wrote to memory of 820	472	cmd.exe	intosaves.exe
PID 472 wrote to memory of 820	472	cmd.exe	intosaves.exe
PID 472 wrote to memory of 1596	472	cmd.exe	reg.exe
PID 472 wrote to memory of 1596	472	cmd.exe	reg.exe
PID 472 wrote to memory of 1596	472	cmd.exe	reg.exe
PID 472 wrote to memory of 1596	472	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
"C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat" "
3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
"C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat
Filesize
842B

MD5
e4d4b17e3621218be34b7117f74ac948

SHA1
0c5b51c38c39fc565fec9877078ca95648aedef1

SHA256
9cfd87cfce8da1e7f75b4147add05e5e41e0aab96fae685a0cff07abc0a4742d

SHA512
6f60a51fb9d471330c5f937053bb50db49590e7f7aca97dfee785bd5fff737ece08723740ceb103ebb4eeba246eeec78a40900b74ff9f1a7978337094de724a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.lnk
Filesize
1KB

MD5
fd4fef8e6a2aab668b95f28aae7b6a36

SHA1
a2b52ddc1cb22f3609a781621336df788ffad73b

SHA256
bd1c7dbecf7f0255bb3f54acc34c86e74bd78120d0148a48a44804e862f490a7

SHA512
3d0f6f4cacd81d79f798a6ea12cdcabef290c4a1fa02ea6d7a8cad0baaf25c8d51452b63a1257dd29d8dcfe467144f5648a5837cb80a7f9564043b09bdef96e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe
Filesize
380B

MD5
5e414ecd3f6fb5aff033c2ebdbf760cf

SHA1
916bc9a94a7955e68c75961d43f62626d1babbe7

SHA256
40dcb2f375c5670213a1889913979165a3bd75db6c1552b6b029feb8c0036e34

SHA512
2b3f37abe6c5280143731e36a732feac7b2d566e7405ca8a2a1bdcd988698fd384aeffc0f2ff92b7c3e58cc294ecabddfb8bfab45b76c652b1e75012f690ec35

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\vmcheck32.dll
Filesize
512B

MD5
f081890855292272e24956525ee2dc68

SHA1
dcc25c30ad10f3e6b7aee39c2818f117387bf74f

SHA256
7c4c7518abe7b0c594823d0c23e364f224143f2f4e9592b60324a57be6763de9

SHA512
ca8e9a1c30ec9954351930fe562a2e4ca89a9b423eca5704312dc5dd8db4d4787f22aaf83f983787cfaac2ab6313ac9a4de5809b3eab80f2b3d2082d71683971

Download Submit
\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
memory/472-59-0x0000000000000000-mapping.dmp

Download
memory/820-62-0x0000000000000000-mapping.dmp

Download
memory/820-65-0x0000000000CA0000-0x0000000000ED4000-memory.dmp

Filesize
2.2MB

Download
memory/820-66-0x000000001B600000-0x000000001B952000-memory.dmp

Filesize
3.3MB

Download
memory/820-67-0x0000000000250000-0x00000000002A4000-memory.dmp

Filesize
336KB

Download
memory/820-68-0x000000001AE50000-0x000000001AECC000-memory.dmp

Filesize
496KB

Download
memory/820-69-0x000000001B0B0000-0x000000001B140000-memory.dmp

Filesize
576KB

Download
memory/820-70-0x0000000000950000-0x0000000000966000-memory.dmp

Filesize
88KB

Download
memory/828-55-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1868-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing