dcrat | 1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba

General

Target

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
Size

828KB
MD5

a0fe7c0a48a3a0f88f52b82b6fca8d9d
SHA1

27c8ef07a014b2e3ba7efa6542a4098de50ce582
SHA256

1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba
SHA512

3d39b95b77b979b4b5e8723fe12380334c36eb553cd115a61455e699c600091ce17759771bbeea086429fcecdf7423607361236650aff8c6c8e2779c2f5a8782
SSDEEP

12288:eRbgNHLA+BeYYUQ0Zf3ThR5CHcC9lxcLQQbpIQePMCxqo:+bArA+BeVUQ4f3gH1OLQOpIMCx3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	612	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1408-54-0x0000000000980000-0x0000000000A56000-memory.dmp	dcrat
C:\Users\Default\Desktop\spoolsv.exe	dcrat
C:\Users\Default\Desktop\spoolsv.exe	dcrat
behavioral1/memory/1472-58-0x0000000000300000-0x00000000003D6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

1472 spoolsv.exe

pid	process
1472	spoolsv.exe

Drops file in Program Files directory 8 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\886983d96e3d3e	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files\Java\jre7\lsass.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files\Java\jre7\6203df4a6bafc7	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\lsm.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\101b941d020240	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Drops file in Windows directory 5 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	ioc	process
File created	C:\Windows\TAPI\spoolsv.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File opened for modification	C:\Windows\TAPI\spoolsv.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\TAPI\f3b6ecef712a24	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Vss\Writers\lsm.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Vss\Writers\101b941d020240	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1920	schtasks.exe
1504	schtasks.exe
1140	schtasks.exe
1404	schtasks.exe
1304	schtasks.exe
1176	schtasks.exe
1748	schtasks.exe
1500	schtasks.exe
1812	schtasks.exe
1544	schtasks.exe
1524	schtasks.exe
1700	schtasks.exe
1468	schtasks.exe
1968	schtasks.exe
1440	schtasks.exe
520	schtasks.exe
1692	schtasks.exe
812	schtasks.exe
1964	schtasks.exe
1044	schtasks.exe
1040	schtasks.exe
1188	schtasks.exe
1640	schtasks.exe
1276	schtasks.exe
1092	schtasks.exe
556	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exespoolsv.exe

pid	process
1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 1408 a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
Token: SeDebugPrivilege 1472 spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
Token: SeDebugPrivilege	1472	spoolsv.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	pid	process	target process
PID 1408 wrote to memory of 1472	1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe	spoolsv.exe
PID 1408 wrote to memory of 1472	1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe	spoolsv.exe
PID 1408 wrote to memory of 1472	1408	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
"C:\Users\Admin\AppData\Local\Temp\a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Default\Desktop\spoolsv.exe
"C:\Users\Default\Desktop\spoolsv.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\Desktop\spoolsv.exe
Filesize
828KB

MD5
a0fe7c0a48a3a0f88f52b82b6fca8d9d

SHA1
27c8ef07a014b2e3ba7efa6542a4098de50ce582

SHA256
1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba

SHA512
3d39b95b77b979b4b5e8723fe12380334c36eb553cd115a61455e699c600091ce17759771bbeea086429fcecdf7423607361236650aff8c6c8e2779c2f5a8782

Download Submit
C:\Users\Default\Desktop\spoolsv.exe
Filesize
828KB

MD5
a0fe7c0a48a3a0f88f52b82b6fca8d9d

SHA1
27c8ef07a014b2e3ba7efa6542a4098de50ce582

SHA256
1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba

SHA512
3d39b95b77b979b4b5e8723fe12380334c36eb553cd115a61455e699c600091ce17759771bbeea086429fcecdf7423607361236650aff8c6c8e2779c2f5a8782

Download Submit
memory/1408-54-0x0000000000980000-0x0000000000A56000-memory.dmp

Filesize
856KB

Download
memory/1472-55-0x0000000000000000-mapping.dmp

Download
memory/1472-58-0x0000000000300000-0x00000000003D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads