dcrat | 21b581a0eee089081f0ee4b52641b33565240499a2eaf2fd7bd0123ee584e98d

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
Size

1.3MB
MD5

67332c4b46c0b9f29d331cafc6aa3564
SHA1

5c409710f34b49a25ceb4773b879ebcc0c4ad610
SHA256

21b581a0eee089081f0ee4b52641b33565240499a2eaf2fd7bd0123ee584e98d
SHA512

9125cc8fed810522e2929c34a8d6dfbbfab2a03d5ee761fb4d86768ac9259e41bc3b57892375301afc3bacd00dd92d13d26f60147455c9d5e224feb812ff3ba7
SSDEEP

24576:MzaHCAvwbSr2sTzNratLY5gaTfcb+MeZvD6PdG942L+EUL++4:MzEZwbSrf3mFpAKGP+J

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5108-132-0x0000000000960000-0x0000000000AAC000-memory.dmp	dcrat
C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe	dcrat
C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4992 RuntimeBroker.exe

pid	process
4992	RuntimeBroker.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

Drops file in System32 directory 4 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

description	ioc	process
File created	C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File created	C:\Windows\System32\msvcr100_clr0400\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File created	C:\Windows\System32\DavSyncProvider\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File created	C:\Windows\System32\DavSyncProvider\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

Drops file in Program Files directory 3 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\services.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

Drops file in Windows directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.CppWinrt\SearchApp.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.CppWinrt\38384e6a620884a6b69bcc56f80d556f9200171c	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4392 schtasks.exe
5076 schtasks.exe
4592 schtasks.exe
712 schtasks.exe
2940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exeRuntimeBroker.exe

pid process

5108 HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
4992 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 5108 HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
Token: SeDebugPrivilege 4992 RuntimeBroker.exe

pid	process
4392	schtasks.exe
5076	schtasks.exe
4592	schtasks.exe
712	schtasks.exe
2940	schtasks.exe

pid	process
5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
4992	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
Token: SeDebugPrivilege	4992	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe

description	pid	process	target process
PID 5108 wrote to memory of 4592	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 4592	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 712	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 712	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 2940	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 2940	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 4392	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 4392	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 5076	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 5076	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	schtasks.exe
PID 5108 wrote to memory of 4992	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	RuntimeBroker.exe
PID 5108 wrote to memory of 4992	5108	HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-21b581a0eee0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:712

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DavSyncProvider\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.CppWinrt\SearchApp.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe
"C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe

Filesize
1.3MB

MD5
67332c4b46c0b9f29d331cafc6aa3564

SHA1
5c409710f34b49a25ceb4773b879ebcc0c4ad610

SHA256
21b581a0eee089081f0ee4b52641b33565240499a2eaf2fd7bd0123ee584e98d

SHA512
9125cc8fed810522e2929c34a8d6dfbbfab2a03d5ee761fb4d86768ac9259e41bc3b57892375301afc3bacd00dd92d13d26f60147455c9d5e224feb812ff3ba7

Download Submit
C:\Windows\System32\msvcr100_clr0400\RuntimeBroker.exe

Filesize
1.3MB

MD5
67332c4b46c0b9f29d331cafc6aa3564

SHA1
5c409710f34b49a25ceb4773b879ebcc0c4ad610

SHA256
21b581a0eee089081f0ee4b52641b33565240499a2eaf2fd7bd0123ee584e98d

SHA512
9125cc8fed810522e2929c34a8d6dfbbfab2a03d5ee761fb4d86768ac9259e41bc3b57892375301afc3bacd00dd92d13d26f60147455c9d5e224feb812ff3ba7

Download Submit
memory/712-135-0x0000000000000000-mapping.dmp

Download
memory/2940-136-0x0000000000000000-mapping.dmp

Download
memory/4392-138-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/4992-140-0x0000000000000000-mapping.dmp

Download
memory/4992-144-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/4992-145-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/5076-139-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000000960000-0x0000000000AAC000-memory.dmp

Filesize
1.3MB

Download
memory/5108-137-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/5108-133-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/5108-143-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads