dcrat | 1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba

General

Target

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
Size

828KB
MD5

a0fe7c0a48a3a0f88f52b82b6fca8d9d
SHA1

27c8ef07a014b2e3ba7efa6542a4098de50ce582
SHA256

1368c1a64455e8afed1c60f660f63e79b717be659c639f619d3591d684196aba
SHA512

3d39b95b77b979b4b5e8723fe12380334c36eb553cd115a61455e699c600091ce17759771bbeea086429fcecdf7423607361236650aff8c6c8e2779c2f5a8782
SSDEEP

12288:eRbgNHLA+BeYYUQ0Zf3ThR5CHcC9lxcLQQbpIQePMCxqo:+bArA+BeVUQ4f3gH1OLQOpIMCx3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	3076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3076	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5112-132-0x0000000000490000-0x0000000000566000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Drops file in Windows directory 8 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	ioc	process
File created	C:\Windows\tracing\dwm.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\tracing\6cb0b6c459d5d3	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Microsoft.NET\Framework\1040\sihost.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Microsoft.NET\Framework\1040\66fc9ff0ee96c2	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Cursors\Registry.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\Cursors\ee2ad38f3d4382	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\tracing\taskhostw.exe	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
File created	C:\Windows\tracing\ea9f0e6c9e2dcd	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4416	schtasks.exe
1316	schtasks.exe
1556	schtasks.exe
1640	schtasks.exe
4908	schtasks.exe
3704	schtasks.exe
4304	schtasks.exe
4912	schtasks.exe
4228	schtasks.exe
1144	schtasks.exe
3096	schtasks.exe
3964	schtasks.exe
3604	schtasks.exe
5036	schtasks.exe
4936	schtasks.exe
1100	schtasks.exe
1676	schtasks.exe
2368	schtasks.exe
3172	schtasks.exe
1964	schtasks.exe
4824	schtasks.exe
4532	schtasks.exe
4452	schtasks.exe
1684	schtasks.exe

Modifies registry class 1 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

pid process

5112 a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description pid process

Token: SeDebugPrivilege 5112 a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

pid	process
5112	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

description	pid	process
Token: SeDebugPrivilege	5112	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a0fe7c0a48a3a0f88f52b82b6fca8d9d.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 1312	5112	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe	cmd.exe
PID 5112 wrote to memory of 1312	5112	a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe	cmd.exe
PID 1312 wrote to memory of 4960	1312	cmd.exe	w32tm.exe
PID 1312 wrote to memory of 4960	1312	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe
"C:\Users\Admin\AppData\Local\Temp\a0fe7c0a48a3a0f88f52b82b6fca8d9d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uv2DsoZ6LS.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\1040\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1040\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\1040\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uv2DsoZ6LS.bat
Filesize
191B

MD5
c1150278276ee6c09c26f0a348858d04

SHA1
13b1ddb925ff15fe78ab2b0c827b801d9662b38c

SHA256
c98681498f02f5ebd601cec6b317f5a4a74e2aadf2549e236b943ad5af4820c5

SHA512
351c874babdb1a5b0d9841b16a2bdc3acd1efe46b51901fe8bb2d3ffaf7f1b3b51efb82ccbe1532789885e3f3b722562cf5134f174012877d31a7c675c45ba26

Download Submit
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/4960-136-0x0000000000000000-mapping.dmp

Download
memory/5112-132-0x0000000000490000-0x0000000000566000-memory.dmp

Filesize
856KB

Download
memory/5112-133-0x00007FFA77EA0000-0x00007FFA78961000-memory.dmp

Filesize
10.8MB

Download
memory/5112-137-0x00007FFA77EA0000-0x00007FFA78961000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads