dcrat | da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

General

Target

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Size

1.5MB
MD5

a56ceff4ed3d8f469e16324d0109e3c6
SHA1

0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
SHA256

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
SHA512

45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
SSDEEP

24576:ewCXoM4MF0QizuJ7dhu+M9bvIpFeHb5APIYwXKhFuDTzz/UNR:72ojMYzuJHu/9bvIOCwf0uDz+R

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3572	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3572	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3444-132-0x00000000001C0000-0x0000000000608000-memory.dmp	dcrat
behavioral2/memory/3444-133-0x00000000001C0000-0x0000000000608000-memory.dmp	dcrat
behavioral2/memory/3444-141-0x00000000001C0000-0x0000000000608000-memory.dmp	dcrat
behavioral2/memory/1344-143-0x0000000000F60000-0x00000000013A8000-memory.dmp	dcrat
behavioral2/memory/1344-144-0x0000000000F60000-0x00000000013A8000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

1344 wininit.exe

pid	process
1344	wininit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exe

pid	process
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe

Drops file in Program Files directory 2 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

description	ioc	process
File created	C:\Program Files\Windows Security\wininit.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files\Windows Security\56085415360792	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4800	schtasks.exe
4792	schtasks.exe
1660	schtasks.exe
4140	schtasks.exe
5012	schtasks.exe
3432	schtasks.exe
1320	schtasks.exe
4116	schtasks.exe
3540	schtasks.exe
3340	schtasks.exe
1644	schtasks.exe
1512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exe

pid	process
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe
1344	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wininit.exe

pid process

1344 wininit.exe

pid	process
1344	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Token: SeDebugPrivilege	1344	wininit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exewininit.exe

pid process

3444 da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1344 wininit.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

description	pid	process	target process
PID 3444 wrote to memory of 1344	3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	wininit.exe
PID 3444 wrote to memory of 1344	3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	wininit.exe
PID 3444 wrote to memory of 1344	3444	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	wininit.exe

C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
"C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files\Windows Security\wininit.exe
"C:\Program Files\Windows Security\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\wininit.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
C:\Program Files\Windows Security\wininit.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
memory/1344-146-0x0000000008EA0000-0x0000000008F32000-memory.dmp

Filesize
584KB

Download
memory/1344-145-0x0000000000F60000-0x00000000013A8000-memory.dmp

Filesize
4.3MB

Download
memory/1344-144-0x0000000000F60000-0x00000000013A8000-memory.dmp

Filesize
4.3MB

Download
memory/1344-143-0x0000000000F60000-0x00000000013A8000-memory.dmp

Filesize
4.3MB

Download
memory/1344-142-0x0000000000F60000-0x00000000013A8000-memory.dmp

Filesize
4.3MB

Download
memory/1344-138-0x0000000000000000-mapping.dmp

Download
memory/3444-135-0x0000000005FD0000-0x0000000006020000-memory.dmp

Filesize
320KB

Download
memory/3444-141-0x00000000001C0000-0x0000000000608000-memory.dmp

Filesize
4.3MB

Download
memory/3444-137-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/3444-136-0x0000000006E70000-0x000000000739C000-memory.dmp

Filesize
5.2MB

Download
memory/3444-132-0x00000000001C0000-0x0000000000608000-memory.dmp

Filesize
4.3MB

Download
memory/3444-134-0x0000000006390000-0x0000000006934000-memory.dmp

Filesize
5.6MB

Download
memory/3444-133-0x00000000001C0000-0x0000000000608000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads