dcrat | 39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Size

1.1MB
MD5

56180487c674bc5e9ae5346a8fa72b4a
SHA1

86058ef7aecd0a9d3bc5f97809e1e0844ab68109
SHA256

39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8
SHA512

27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5
SSDEEP

12288:7ooQ4tQRgvTUxOjOK2C6vo7FFPfvgPVQy3TiNUOckHd4qn4:7out+gvTUwjOK2C4oLPformNUOtH2+4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3468-132-0x0000000000870000-0x0000000000986000-memory.dmp	dcrat
C:\Windows\System32\EapTeapExt\dllhost.exe	dcrat
C:\Windows\System32\EapTeapExt\dllhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

236 dllhost.exe

pid	process
236	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Drops file in System32 directory 12 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
File created	C:\Windows\System32\D3D12\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\D3D12\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\kbdlisub\cc11b995f2a76da408ea6a601e682e64743153ad	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\Windows.UI.Logon\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\DDORes\spoolsv.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\EapTeapExt\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\msg711\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\kbdlisub\winlogon.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\Windows.UI.Logon\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\DDORes\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\EapTeapExt\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\System32\msg711\sihost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Drops file in Program Files directory 3 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\55b276f4edf653fe07efe8f1ecc32d3d195abd16	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Drops file in Windows directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3212	schtasks.exe
4960	schtasks.exe
1744	schtasks.exe
4092	schtasks.exe
1116	schtasks.exe
4912	schtasks.exe
3484	schtasks.exe
1328	schtasks.exe
3764	schtasks.exe

Modifies registry class 1 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3172 PING.EXE

pid	process
3172	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedllhost.exe

pid	process
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
236	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exedllhost.exe

description pid process

Token: SeDebugPrivilege 3468 HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Token: SeDebugPrivilege 236 dllhost.exe

description	pid	process
Token: SeDebugPrivilege	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
Token: SeDebugPrivilege	236	dllhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 4092	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 4092	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3212	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3212	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3764	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3764	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1116	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1116	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 4960	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 4960	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 4912	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 4912	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1744	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1744	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3484	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 3484	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1328	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 1328	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	schtasks.exe
PID 3468 wrote to memory of 5020	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	cmd.exe
PID 3468 wrote to memory of 5020	3468	HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe	cmd.exe
PID 5020 wrote to memory of 4732	5020	cmd.exe	chcp.com
PID 5020 wrote to memory of 4732	5020	cmd.exe	chcp.com
PID 5020 wrote to memory of 3172	5020	cmd.exe	PING.EXE
PID 5020 wrote to memory of 3172	5020	cmd.exe	PING.EXE
PID 5020 wrote to memory of 236	5020	cmd.exe	dllhost.exe
PID 5020 wrote to memory of 236	5020	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-39a3a518c36b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EapTeapExt\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3212

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3764

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\msg711\sihost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\D3D12\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\kbdlisub\winlogon.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.UI.Logon\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\DDORes\spoolsv.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAxBcO0nJT.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4732

C:\Windows\system32\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:3172

C:\Windows\System32\EapTeapExt\dllhost.exe
"C:\Windows\System32\EapTeapExt\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zAxBcO0nJT.bat
Filesize
208B

MD5
5574d6b25c94f486c6c78f10a4d69216

SHA1
ef9bf19d721441aea262631fb26037ab9e47bc52

SHA256
8f73873b1b1748b649655b5619eaa5e8911a0c48e276fe5d29898ba97dbc5596

SHA512
94f34728ae3f5915f9cfe70403481bc572dee858efe78819195ff9361b9427e0af364c080ef6ae64818c26febf7abf04659efc18b7ce14faf621dc94c80e6f5f

Download Submit
C:\Windows\System32\EapTeapExt\dllhost.exe
Filesize
1.1MB

MD5
56180487c674bc5e9ae5346a8fa72b4a

SHA1
86058ef7aecd0a9d3bc5f97809e1e0844ab68109

SHA256
39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

SHA512
27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5

Download Submit
C:\Windows\System32\EapTeapExt\dllhost.exe
Filesize
1.1MB

MD5
56180487c674bc5e9ae5346a8fa72b4a

SHA1
86058ef7aecd0a9d3bc5f97809e1e0844ab68109

SHA256
39a3a518c36b4c72d04a00171bfe84b36c830ef87afcd69c8d120abddafa97c8

SHA512
27a051a7a6072e8556c6771648ebb16dffe2116c14e30c50ace66f3370b56904f35f96f8e18a628e16c35b3049f8f420523f90e0f46fa5f167211569280250c5

Download Submit
memory/236-152-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/236-151-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/236-148-0x0000000000000000-mapping.dmp

Download
memory/1116-137-0x0000000000000000-mapping.dmp

Download
memory/1328-142-0x0000000000000000-mapping.dmp

Download
memory/1744-140-0x0000000000000000-mapping.dmp

Download
memory/3172-147-0x0000000000000000-mapping.dmp

Download
memory/3212-135-0x0000000000000000-mapping.dmp

Download
memory/3468-132-0x0000000000870000-0x0000000000986000-memory.dmp

Filesize
1.1MB

Download
memory/3468-133-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3468-146-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3484-141-0x0000000000000000-mapping.dmp

Download
memory/3764-136-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000000000000-mapping.dmp

Download
memory/4732-145-0x0000000000000000-mapping.dmp

Download
memory/4912-139-0x0000000000000000-mapping.dmp

Download
memory/4960-138-0x0000000000000000-mapping.dmp

Download
memory/5020-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads