dcrat | a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409

General

Target

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Size

3.9MB
MD5

84c119baf2964e44d504f6172d89f593
SHA1

d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4
SHA256

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409
SHA512

3dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b

Score

10^/10

dcrat evasion infostealer rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmp	dcrat
behavioral1/memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmp	dcrat
behavioral1/memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmp	dcrat
behavioral1/memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmp	dcrat
behavioral1/memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmp	dcrat
behavioral1/memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WmiPrvSE.exe

Executes dropped EXE 1 IoCs

Processes:

WmiPrvSE.exe

pid process

1984 WmiPrvSE.exe

pid	process
1984	WmiPrvSE.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WmiPrvSE.exe

Loads dropped DLL 1 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

pid process

1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

pid	process
1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmp	themida
behavioral1/memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmp	themida
\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe	themida
C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe	themida
behavioral1/memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmp	themida
behavioral1/memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmp	themida
behavioral1/memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmp	themida
behavioral1/memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

pid process

1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
1984 WmiPrvSE.exe

pid	process
1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
1984	WmiPrvSE.exe

Drops file in Program Files directory 6 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\24dbde2999530ef5fd907494bc374d663924116c	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\explorer.exe	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File created	C:\Program Files\Windows Journal\en-US\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\csrss.exe	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File created	C:\Program Files\Microsoft Office\Office14\886983d96e3d3e31032c679b2d4ea91b6c05afef	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

Drops file in Windows directory 3 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e31032c679b2d4ea91b6c05afef	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_148db478a63514af\spoolsv.exe	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2004 schtasks.exe
1768 schtasks.exe
1052 schtasks.exe
680 schtasks.exe
1332 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

pid process

1580 a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
1984 WmiPrvSE.exe

pid	process
2004	schtasks.exe
1768	schtasks.exe
1052	schtasks.exe
680	schtasks.exe
1332	schtasks.exe

pid	process
1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
1984	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exeWmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
Token: SeDebugPrivilege	1984	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe

description	pid	process	target process
PID 1580 wrote to memory of 2004	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 2004	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 2004	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 2004	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1768	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1768	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1768	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1768	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1052	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 680	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 680	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 680	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 680	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1332	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1332	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1332	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1332	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	schtasks.exe
PID 1580 wrote to memory of 1984	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	WmiPrvSE.exe
PID 1580 wrote to memory of 1984	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	WmiPrvSE.exe
PID 1580 wrote to memory of 1984	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	WmiPrvSE.exe
PID 1580 wrote to memory of 1984	1580	a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe
"C:\Users\Admin\AppData\Local\Temp\a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\619fcb42-bc70-11ec-bd6f-84e31b84a9f2\smss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1332

C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe
"C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe
Filesize
3.9MB

MD5
84c119baf2964e44d504f6172d89f593

SHA1
d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4

SHA256
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409

SHA512
3dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b

Download Submit
\Program Files (x86)\Microsoft Visual Studio 8\WmiPrvSE.exe
Filesize
3.9MB

MD5
84c119baf2964e44d504f6172d89f593

SHA1
d74042f52d0a2d5cd4543b6c4a8e31b8a4c5bee4

SHA256
a753520f6e10b07283488893315f3c5e03fbed7e27b303e95934d62f1acaa409

SHA512
3dcac82230c278b8a1c4e063d79bd308c8e8ee65e71d8e0b371ac8520049fd2a863bc0b9b910989a5e310534aea6fe1274c2774e755ca701b977f8bc983bef6b

Download Submit
memory/680-64-0x0000000000000000-mapping.dmp

Download
memory/1052-63-0x0000000000000000-mapping.dmp

Download
memory/1332-65-0x0000000000000000-mapping.dmp

Download
memory/1580-71-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1580-55-0x0000000000C10000-0x0000000001682000-memory.dmp

Filesize
10.4MB

Download
memory/1580-54-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1580-60-0x0000000000C10000-0x0000000001682000-memory.dmp

Filesize
10.4MB

Download
memory/1580-59-0x0000000000C10000-0x0000000001682000-memory.dmp

Filesize
10.4MB

Download
memory/1580-56-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1580-70-0x0000000006380000-0x0000000006DF2000-memory.dmp

Filesize
10.4MB

Download
memory/1580-69-0x0000000000C10000-0x0000000001682000-memory.dmp

Filesize
10.4MB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/1984-67-0x0000000000000000-mapping.dmp

Download
memory/1984-75-0x00000000011A0000-0x0000000001C12000-memory.dmp

Filesize
10.4MB

Download
memory/1984-76-0x00000000011A0000-0x0000000001C12000-memory.dmp

Filesize
10.4MB

Download
memory/1984-77-0x00000000011A0000-0x0000000001C12000-memory.dmp

Filesize
10.4MB

Download
memory/1984-78-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/2004-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads