dcrat | 39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Size

1.1MB
MD5

56180487c674bc5e9ae5346a8fa72b4a
SHA1

86058ef7aecd0a9d3bc5f97809e1e0844ab68109
SHA256

39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8
SHA512

27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5
SSDEEP

12288:7ooQ4tQRgvTUxOjOK2C6vo7FFPfvgPVQy3TiNUOckHd4qn4:7out+gvTUwjOK2C4oLPformNUOtH2+4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2016-54-0x0000000001390000-0x00000000014A6000-memory.dmp	dcrat
C:\MSOCache\All Users\System.exe	dcrat
C:\MSOCache\All Users\System.exe	dcrat
behavioral1/memory/1996-66-0x0000000000D20000-0x0000000000E36000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

System.exe

pid process

1996 System.exe

pid	process
1996	System.exe

Drops file in System32 directory 6 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
File created	C:\Windows\System32\WcsPlugInService\taskhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\WcsPlugInService\b75386f1303e64d8139363b71e44ac16341adf4e	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\rasadhlp\dwm.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\rasadhlp\6cb0b6c459d5d3455a3da700e713f2e2529862ff	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\html\lsass.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\html\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

336 schtasks.exe
1324 schtasks.exe
1528 schtasks.exe
1612 schtasks.exe
1260 schtasks.exe
1356 schtasks.exe
112 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exeSystem.exe

pid process

2016 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
1996 System.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exeSystem.exe

description pid process

Token: SeDebugPrivilege 2016 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Token: SeDebugPrivilege 1996 System.exe

pid	process
336	schtasks.exe
1324	schtasks.exe
1528	schtasks.exe
1612	schtasks.exe
1260	schtasks.exe
1356	schtasks.exe
112	schtasks.exe

pid	process
2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
1996	System.exe

description	pid	process
Token: SeDebugPrivilege	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Token: SeDebugPrivilege	1996	System.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	pid	process	target process
PID 2016 wrote to memory of 1356	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1356	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1356	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 112	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 112	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 112	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 336	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 336	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 336	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1324	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1324	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1324	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1528	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1528	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1528	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1612	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1612	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1612	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1260	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1260	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1260	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 2016 wrote to memory of 1996	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	System.exe
PID 2016 wrote to memory of 1996	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	System.exe
PID 2016 wrote to memory of 1996	2016	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\html\lsass.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\WcsPlugInService\taskhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\dwm.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\rasadhlp\dwm.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1260

C:\MSOCache\All Users\System.exe
"C:\MSOCache\All Users\System.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe
Filesize
1.1MB

MD5
56180487c674bc5e9ae5346a8fa72b4a

SHA1
86058ef7aecd0a9d3bc5f97809e1e0844ab68109

SHA256
39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

SHA512
27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5

Download Submit
C:\MSOCache\All Users\System.exe
Filesize
1.1MB

MD5
56180487c674bc5e9ae5346a8fa72b4a

SHA1
86058ef7aecd0a9d3bc5f97809e1e0844ab68109

SHA256
39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

SHA512
27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5

Download Submit
memory/112-56-0x0000000000000000-mapping.dmp

Download
memory/336-57-0x0000000000000000-mapping.dmp

Download
memory/1260-61-0x0000000000000000-mapping.dmp

Download
memory/1324-58-0x0000000000000000-mapping.dmp

Download
memory/1356-55-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1612-60-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/1996-66-0x0000000000D20000-0x0000000000E36000-memory.dmp

Filesize
1.1MB

Download
memory/2016-62-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000001390000-0x00000000014A6000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads