dcrat | 87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927

General

Target

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Size

1.2MB
MD5

9813aa384e2c0d3ae5d2fa54f94371a1
SHA1

39d610d7d3131f0c6bcb9b5866e6d34596ea9647
SHA256

87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927
SHA512

9502f14d66d20af12a8750bf6ca7a2ad83fdd86162bb455e86c88be522053377470497b0cb81430d2e747db9f2b0b033b641c8f68400e433f8888a73143454eb
SSDEEP

24576:yPdhBJ+P1fWl87ElLyYAUML/JqR4NA+4:MXDszElLylUMlpp

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4024	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5016-132-0x0000000000040000-0x000000000017A000-memory.dmp	dcrat
C:\Users\Public\Music\winlogon.exe	dcrat
C:\Users\Public\Music\winlogon.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2924 winlogon.exe

pid	process
2924	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\wininit.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\wininit.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Music\\winlogon.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Common Files\\DESIGNER\\winlogon.exe\""	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Drops file in Program Files directory 4 IoCs

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Skins\560854153607923c4c5f107085a7db67be01f252	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
File created	C:\Program Files\Common Files\DESIGNER\winlogon.exe	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
File created	C:\Program Files\Common Files\DESIGNER\cc11b995f2a76da408ea6a601e682e64743153ad	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\wininit.exe	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5112 schtasks.exe
824 schtasks.exe
5104 schtasks.exe
4472 schtasks.exe
4680 schtasks.exe
4548 schtasks.exe

pid	process
5112	schtasks.exe
824	schtasks.exe
5104	schtasks.exe
4472	schtasks.exe
4680	schtasks.exe
4548	schtasks.exe

Modifies registry class 1 IoCs

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exewinlogon.exe

pid process

5016 87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
2924 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 5016 87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Token: SeDebugPrivilege 2924 winlogon.exe

pid	process
5016	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
2924	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	5016	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
Token: SeDebugPrivilege	2924	winlogon.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.execmd.exe

description	pid	process	target process
PID 5016 wrote to memory of 3380	5016	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe	cmd.exe
PID 5016 wrote to memory of 3380	5016	87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe	cmd.exe
PID 3380 wrote to memory of 920	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 920	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 2924	3380	cmd.exe	winlogon.exe
PID 3380 wrote to memory of 2924	3380	cmd.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe
"C:\Users\Admin\AppData\Local\Temp\87D453765A28D077F2E7F2FC88D3D74DA20FF46CE8091.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K9JeJ3TW8v.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:920

C:\Users\Public\Music\winlogon.exe
"C:\Users\Public\Music\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\K9JeJ3TW8v.bat
Filesize
198B

MD5
611c8c56169d57101f6485eccb36d953

SHA1
4d2db5a76556c65676181e349ce8789f45ef67e6

SHA256
5a3a802a1e99ae3f68fd08acfa5522c8b813b5a22631f1f801f5359ca5e0ff1b

SHA512
5e57dec053dcee8716db0049723e8fbae48672953e057b9948c9b0194c4d036ba09ad53e7e342b04b38321284dd564744674f47f1992f8861ebc3bbdeb508e40

Download Submit
C:\Users\Public\Music\winlogon.exe
Filesize
1.2MB

MD5
9813aa384e2c0d3ae5d2fa54f94371a1

SHA1
39d610d7d3131f0c6bcb9b5866e6d34596ea9647

SHA256
87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927

SHA512
9502f14d66d20af12a8750bf6ca7a2ad83fdd86162bb455e86c88be522053377470497b0cb81430d2e747db9f2b0b033b641c8f68400e433f8888a73143454eb

Download Submit
C:\Users\Public\Music\winlogon.exe
Filesize
1.2MB

MD5
9813aa384e2c0d3ae5d2fa54f94371a1

SHA1
39d610d7d3131f0c6bcb9b5866e6d34596ea9647

SHA256
87d453765a28d077f2e7f2fc88d3d74da20ff46ce8091b997eb090e75ef2b927

SHA512
9502f14d66d20af12a8750bf6ca7a2ad83fdd86162bb455e86c88be522053377470497b0cb81430d2e747db9f2b0b033b641c8f68400e433f8888a73143454eb

Download Submit
memory/920-137-0x0000000000000000-mapping.dmp

Download
memory/2924-138-0x0000000000000000-mapping.dmp

Download
memory/2924-141-0x00007FF9F5BF0000-0x00007FF9F66B1000-memory.dmp

Filesize
10.8MB

Download
memory/2924-142-0x00007FF9F5BF0000-0x00007FF9F66B1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-134-0x0000000000000000-mapping.dmp

Download
memory/5016-132-0x0000000000040000-0x000000000017A000-memory.dmp

Filesize
1.2MB

Download
memory/5016-133-0x00007FF9F6340000-0x00007FF9F6E01000-memory.dmp

Filesize
10.8MB

Download
memory/5016-135-0x00007FF9F6340000-0x00007FF9F6E01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads