dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
119s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Size

1.7MB
MD5

c090c2077f7c71e38f4b7fedfe0ef1e3
SHA1

2d01b3e7f9f80961aa6bada443a5d969bf88c052
SHA256

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
SHA512

150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
SSDEEP

24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1952	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	1952	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	1952	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1952	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1952	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1952	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ServerReview\bridgeProviderref.exe	dcrat
C:\ServerReview\bridgeProviderref.exe	dcrat
behavioral9/memory/1308-139-0x0000000000BC0000-0x0000000000D38000-memory.dmp	dcrat
C:\Users\Default\RuntimeBroker.exe	dcrat
C:\Users\Default User\RuntimeBroker.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

bridgeProviderref.exeRuntimeBroker.exe

pid process

1308 bridgeProviderref.exe
1560 RuntimeBroker.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.exebridgeProviderref.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bridgeProviderref.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3436 schtasks.exe
364 schtasks.exe
1936 schtasks.exe
1720 schtasks.exe
1836 schtasks.exe
2816 schtasks.exe

pid	process
3436	schtasks.exe
364	schtasks.exe
1936	schtasks.exe
1720	schtasks.exe
1836	schtasks.exe
2816	schtasks.exe

Modifies registry class 1 IoCs

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

bridgeProviderref.exeRuntimeBroker.exe

pid	process
1308	bridgeProviderref.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe
1560	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1560 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeProviderref.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 1308 bridgeProviderref.exe
Token: SeDebugPrivilege 1560 RuntimeBroker.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1560 RuntimeBroker.exe

pid	process
1560	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1308	bridgeProviderref.exe
Token: SeDebugPrivilege	1560	RuntimeBroker.exe

pid	process
1560	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.execmd.exebridgeProviderref.exe

description	pid	process	target process
PID 4172 wrote to memory of 2016	4172	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 4172 wrote to memory of 2016	4172	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 4172 wrote to memory of 2016	4172	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 2016 wrote to memory of 4756	2016	WScript.exe	cmd.exe
PID 2016 wrote to memory of 4756	2016	WScript.exe	cmd.exe
PID 2016 wrote to memory of 4756	2016	WScript.exe	cmd.exe
PID 4756 wrote to memory of 1308	4756	cmd.exe	bridgeProviderref.exe
PID 4756 wrote to memory of 1308	4756	cmd.exe	bridgeProviderref.exe
PID 1308 wrote to memory of 1560	1308	bridgeProviderref.exe	RuntimeBroker.exe
PID 1308 wrote to memory of 1560	1308	bridgeProviderref.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
"C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ServerReview\MzalesUHq9EVa0XF.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\ServerReview\bridgeProviderref.exe
"C:\ServerReview\bridgeProviderref.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Default User\RuntimeBroker.exe
"C:\Users\Default User\RuntimeBroker.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerReview\MzalesUHq9EVa0XF.vbe
Filesize
211B

MD5
fb66d6d565dce17c5007b0a7e4df8b73

SHA1
1a968335d68201d39ce11439b434721c7c28cdde

SHA256
141fbc97b724eda2dedcba78ca1d5f340a817c56e338c5bf8624afa2477e7736

SHA512
d7c160c69e06862cdc9e626d27c757f267ca75a888ec71ab8ccbaf237173c463f58d79e6775232684e452a4e0910110c318b5ee0f39657590cdbb1c1da6f9fcc

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat
Filesize
39B

MD5
dbba88d93e1a4c249cd8c44bd99cf3d3

SHA1
75bf459416022380605880066cc0bef81966b4f8

SHA256
e8f43b3eb90675247331fbba6091b365bf672bf4096de426af3ac9c627c23462

SHA512
38f65e02dfc2b95aaf626040dac731b7e997aba3873cd832bac29e39e7afcfc52b9b46ea5cde943a5fa55889a45cddaaa753fea071822d4c9060e00c89706b52

Download Submit
C:\Users\Default User\RuntimeBroker.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\Users\Default\RuntimeBroker.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
memory/1308-136-0x0000000000000000-mapping.dmp

Download
memory/1308-139-0x0000000000BC0000-0x0000000000D38000-memory.dmp

Filesize
1.5MB

Download
memory/1308-140-0x0000000002E40000-0x0000000002E90000-memory.dmp

Filesize
320KB

Download
memory/1308-141-0x000000001D150000-0x000000001D678000-memory.dmp

Filesize
5.2MB

Download
memory/1308-142-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/1308-146-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/1560-143-0x0000000000000000-mapping.dmp

Download
memory/1560-147-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/1560-148-0x000000001E930000-0x000000001EAF2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-149-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/2016-132-0x0000000000000000-mapping.dmp

Download
memory/4756-135-0x0000000000000000-mapping.dmp

Download