dcrat | 6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Size

1.5MB
MD5

413be497be904c09aa8bfe8f0182a949
SHA1

9c5a69c83dbe2629290823d33c0afbce6d37f7bf
SHA256

6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21
SHA512

01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee
SSDEEP

24576:Ut0u6OwrhMEjG9rSVSv52b/1RPc0I+7xPgXJsVUAvu6jFShHpNpV8xH7+4:Uth6l+eGtUvcx+GXJsVXu6jFKpveK

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\", \"C:\\Windows\\System32\\netman\\services.exe\", \"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\", \"C:\\ProgramData\\Desktop\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\", \"C:\\Windows\\System32\\netman\\services.exe\", \"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\", \"C:\\ProgramData\\Desktop\\explorer.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\", \"C:\\Windows\\System32\\netman\\services.exe\", \"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\", \"C:\\ProgramData\\Desktop\\explorer.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\csrss.exe\", \"C:\\Windows\\System32\\bootres\\winlogon.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\", \"C:\\Windows\\System32\\netman\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\bootstr\\sppsvc.exe\", \"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\", \"C:\\Windows\\System32\\netman\\services.exe\", \"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-54-0x0000000001340000-0x00000000014C2000-memory.dmp	dcrat
C:\Windows\System32\networkitemfactory\csrss.exe	dcrat
C:\Windows\System32\networkitemfactory\csrss.exe	dcrat
behavioral1/memory/584-65-0x0000000000D20000-0x0000000000EA2000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

584 csrss.exe

pid	process
584	csrss.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\netman\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\networkitemfactory\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Desktop\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\bootres\\winlogon.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\bootstr\\sppsvc.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\bootstr\\sppsvc.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\bootres\\winlogon.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\netman\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\DVD Maker\\en-US\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Desktop\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

Drops file in System32 directory 9 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

description	ioc	process
File created	C:\Windows\System32\bootres\cc11b995f2a76da408ea6a601e682e64743153ad	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File opened for modification	C:\Windows\System32\bootstr\sppsvc.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\netman\services.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\networkitemfactory\886983d96e3d3e31032c679b2d4ea91b6c05afef	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\networkitemfactory\csrss.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\bootres\winlogon.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\bootstr\sppsvc.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\bootstr\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Windows\System32\netman\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

Drops file in Program Files directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\en-US\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
File created	C:\Program Files\DVD Maker\en-US\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

872 schtasks.exe
800 schtasks.exe
1380 schtasks.exe
1288 schtasks.exe
1764 schtasks.exe
1904 schtasks.exe
1012 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.execsrss.exe

pid process

1956 HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
584 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.execsrss.exe

description pid process

Token: SeDebugPrivilege 1956 HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Token: SeDebugPrivilege 584 csrss.exe

pid	process
872	schtasks.exe
800	schtasks.exe
1380	schtasks.exe
1288	schtasks.exe
1764	schtasks.exe
1904	schtasks.exe
1012	schtasks.exe

pid	process
1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
584	csrss.exe

description	pid	process
Token: SeDebugPrivilege	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
Token: SeDebugPrivilege	584	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe

description	pid	process	target process
PID 1956 wrote to memory of 1288	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1288	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1288	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1764	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1764	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1764	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1904	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1904	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1904	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1012	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1012	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1012	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 872	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 872	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 872	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 800	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 800	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 800	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1380	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1380	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 1380	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	schtasks.exe
PID 1956 wrote to memory of 584	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	csrss.exe
PID 1956 wrote to memory of 584	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	csrss.exe
PID 1956 wrote to memory of 584	1956	HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6cba34b2db52.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\bootstr\sppsvc.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\netman\services.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\networkitemfactory\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Desktop\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\bootres\winlogon.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\System32\networkitemfactory\csrss.exe
"C:\Windows\System32\networkitemfactory\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\networkitemfactory\csrss.exe
Filesize
1.5MB

MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Windows\System32\networkitemfactory\csrss.exe
Filesize
1.5MB

MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
memory/584-62-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000000D20000-0x0000000000EA2000-memory.dmp

Filesize
1.5MB

Download
memory/800-60-0x0000000000000000-mapping.dmp

Download
memory/872-59-0x0000000000000000-mapping.dmp

Download
memory/1012-58-0x0000000000000000-mapping.dmp

Download
memory/1288-55-0x0000000000000000-mapping.dmp

Download
memory/1380-61-0x0000000000000000-mapping.dmp

Download
memory/1764-56-0x0000000000000000-mapping.dmp

Download
memory/1904-57-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000001340000-0x00000000014C2000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads