dcrat | 7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941

General

Target

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Size

2.2MB
MD5

7666f4f50e25b9c8af50a605b2292170
SHA1

adef3e910f165eb6071767c7b40fd7cf22452cbd
SHA256

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941
SHA512

6b433ffa42d30003fda168a4754dc4aabeef8309a308625816909d52587148650acb05b5ad73251113d4539f09aa2d015213623ace63aa020cd2841d93ebb988

Score

10^/10

dcrat evasion infostealer rat suricata

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
suricata
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

intosaves.exe

pid process

4344 intosaves.exe

pid	process
4344	intosaves.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4208 4344 WerFault.exe intosaves.exe

pid	pid_target	process	target process
4208	4344	WerFault.exe	intosaves.exe

Modifies registry class 1 IoCs

Processes:

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

612 reg.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

intosaves.exe

pid process

4344 intosaves.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

intosaves.exe

description pid process

Token: SeDebugPrivilege 4344 intosaves.exe

pid	process
612	reg.exe

pid	process
4344	intosaves.exe

description	pid	process
Token: SeDebugPrivilege	4344	intosaves.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exeWScript.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 3256	1660	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 1660 wrote to memory of 3256	1660	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 1660 wrote to memory of 3256	1660	7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe	WScript.exe
PID 3256 wrote to memory of 2704	3256	WScript.exe	cmd.exe
PID 3256 wrote to memory of 2704	3256	WScript.exe	cmd.exe
PID 3256 wrote to memory of 2704	3256	WScript.exe	cmd.exe
PID 2704 wrote to memory of 4344	2704	cmd.exe	intosaves.exe
PID 2704 wrote to memory of 4344	2704	cmd.exe	intosaves.exe
PID 2704 wrote to memory of 612	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 612	2704	cmd.exe	reg.exe
PID 2704 wrote to memory of 612	2704	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe
"C:\Users\Admin\AppData\Local\Temp\7b525a28909d97e57d16d09c1822b67ba00337765ed77af6f1dd1e96d4afb941.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat" "
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
"C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4344 -s 1608
5⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4344 -ip 4344
1⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dllmonitor\SbKTlw6muT4F2chJx8w3W6yERRzEz7.bat
Filesize
842B

MD5
e4d4b17e3621218be34b7117f74ac948

SHA1
0c5b51c38c39fc565fec9877078ca95648aedef1

SHA256
9cfd87cfce8da1e7f75b4147add05e5e41e0aab96fae685a0cff07abc0a4742d

SHA512
6f60a51fb9d471330c5f937053bb50db49590e7f7aca97dfee785bd5fff737ece08723740ceb103ebb4eeba246eeec78a40900b74ff9f1a7978337094de724a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.lnk
Filesize
1KB

MD5
bbd0c424031b28684049cf8de579bd2c

SHA1
94c8a9e70ee2504b8e2abe04fe2cbeaefb821577

SHA256
c29975fd7653b65a656fc93d6ae211f44d7aa7adf22c972d2cdc8748ba9a55d4

SHA512
99dccf0d39a332e6f4fd509205c610601b54ced8c024a477c9336f0050e7d7af40d0d65fd27f57e18904e5287089a177e41c954543ed872be534bc2c6da38341

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\System.vbe
Filesize
380B

MD5
5e414ecd3f6fb5aff033c2ebdbf760cf

SHA1
916bc9a94a7955e68c75961d43f62626d1babbe7

SHA256
40dcb2f375c5670213a1889913979165a3bd75db6c1552b6b029feb8c0036e34

SHA512
2b3f37abe6c5280143731e36a732feac7b2d566e7405ca8a2a1bdcd988698fd384aeffc0f2ff92b7c3e58cc294ecabddfb8bfab45b76c652b1e75012f690ec35

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\intosaves.exe
Filesize
2.2MB

MD5
409efdc11afb323a6e0225b66c4a0f93

SHA1
0fbe66e14b3921bc5d9263ff05c3f14610895856

SHA256
6fa40ea6d7026adcfd51854157e308b4169228eca157ef6e44ef1213e238b7db

SHA512
e2e072c190ae32585069760cecd96509d4f95ef884f5a6121a9f58e806aaab47272ec090454d4a1ada734b58d0d7fc95cab147047a1ecca74b8a6d7a43848a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllmonitor\vmcheck32.dll
Filesize
512B

MD5
f081890855292272e24956525ee2dc68

SHA1
dcc25c30ad10f3e6b7aee39c2818f117387bf74f

SHA256
7c4c7518abe7b0c594823d0c23e364f224143f2f4e9592b60324a57be6763de9

SHA512
ca8e9a1c30ec9954351930fe562a2e4ca89a9b423eca5704312dc5dd8db4d4787f22aaf83f983787cfaac2ab6313ac9a4de5809b3eab80f2b3d2082d71683971

Download Submit
memory/612-141-0x0000000000000000-mapping.dmp

Download
memory/2704-133-0x0000000000000000-mapping.dmp

Download
memory/3256-130-0x0000000000000000-mapping.dmp

Download
memory/4344-135-0x0000000000000000-mapping.dmp

Download
memory/4344-138-0x00000201188D0000-0x0000020118B04000-memory.dmp

Filesize
2.2MB

Download
memory/4344-139-0x00007FF8A1EB0000-0x00007FF8A2971000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads