dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

General

Target

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Size

1.7MB
MD5

c090c2077f7c71e38f4b7fedfe0ef1e3
SHA1

2d01b3e7f9f80961aa6bada443a5d969bf88c052
SHA256

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
SHA512

150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
SSDEEP

24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1244	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1244	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ServerReview\bridgeProviderref.exe	dcrat
\ServerReview\bridgeProviderref.exe	dcrat
C:\ServerReview\bridgeProviderref.exe	dcrat
C:\ServerReview\bridgeProviderref.exe	dcrat
behavioral1/memory/1224-65-0x0000000000920000-0x0000000000A98000-memory.dmp	dcrat
C:\Users\Default\AppData\Local\Idle.exe	dcrat
C:\Users\Default\Local Settings\Idle.exe	dcrat
behavioral1/memory/1612-76-0x0000000000370000-0x00000000004E8000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

bridgeProviderref.exeIdle.exe

pid process

1224 bridgeProviderref.exe
1612 Idle.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1176 cmd.exe
1176 cmd.exe

pid	process
1224	bridgeProviderref.exe
1612	Idle.exe

pid	process
1176	cmd.exe
1176	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

bridgeProviderref.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\taskhost.exe	bridgeProviderref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\b75386f1303e64	bridgeProviderref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1416	schtasks.exe
1792	schtasks.exe
1588	schtasks.exe
1160	schtasks.exe
1144	schtasks.exe
1064	schtasks.exe
916	schtasks.exe
756	schtasks.exe
844	schtasks.exe
1044	schtasks.exe
1860	schtasks.exe
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bridgeProviderref.exeIdle.exe

pid process

1224 bridgeProviderref.exe
1612 Idle.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeProviderref.exeIdle.exe

description pid process

Token: SeDebugPrivilege 1224 bridgeProviderref.exe
Token: SeDebugPrivilege 1612 Idle.exe

pid	process
1224	bridgeProviderref.exe
1612	Idle.exe

description	pid	process
Token: SeDebugPrivilege	1224	bridgeProviderref.exe
Token: SeDebugPrivilege	1612	Idle.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.execmd.exebridgeProviderref.exe

description	pid	process	target process
PID 832 wrote to memory of 1764	832	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 832 wrote to memory of 1764	832	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 832 wrote to memory of 1764	832	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 832 wrote to memory of 1764	832	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 1764 wrote to memory of 1176	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1176	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1176	1764	WScript.exe	cmd.exe
PID 1764 wrote to memory of 1176	1764	WScript.exe	cmd.exe
PID 1176 wrote to memory of 1224	1176	cmd.exe	bridgeProviderref.exe
PID 1176 wrote to memory of 1224	1176	cmd.exe	bridgeProviderref.exe
PID 1176 wrote to memory of 1224	1176	cmd.exe	bridgeProviderref.exe
PID 1176 wrote to memory of 1224	1176	cmd.exe	bridgeProviderref.exe
PID 1224 wrote to memory of 1612	1224	bridgeProviderref.exe	Idle.exe
PID 1224 wrote to memory of 1612	1224	bridgeProviderref.exe	Idle.exe
PID 1224 wrote to memory of 1612	1224	bridgeProviderref.exe	Idle.exe

C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
"C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ServerReview\MzalesUHq9EVa0XF.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\ServerReview\bridgeProviderref.exe
"C:\ServerReview\bridgeProviderref.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Default\Local Settings\Idle.exe
"C:\Users\Default\Local Settings\Idle.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerReview\MzalesUHq9EVa0XF.vbe
Filesize
211B

MD5
fb66d6d565dce17c5007b0a7e4df8b73

SHA1
1a968335d68201d39ce11439b434721c7c28cdde

SHA256
141fbc97b724eda2dedcba78ca1d5f340a817c56e338c5bf8624afa2477e7736

SHA512
d7c160c69e06862cdc9e626d27c757f267ca75a888ec71ab8ccbaf237173c463f58d79e6775232684e452a4e0910110c318b5ee0f39657590cdbb1c1da6f9fcc

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat
Filesize
39B

MD5
dbba88d93e1a4c249cd8c44bd99cf3d3

SHA1
75bf459416022380605880066cc0bef81966b4f8

SHA256
e8f43b3eb90675247331fbba6091b365bf672bf4096de426af3ac9c627c23462

SHA512
38f65e02dfc2b95aaf626040dac731b7e997aba3873cd832bac29e39e7afcfc52b9b46ea5cde943a5fa55889a45cddaaa753fea071822d4c9060e00c89706b52

Download Submit
C:\Users\Default\AppData\Local\Idle.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\Users\Default\Local Settings\Idle.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
memory/832-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1176-59-0x0000000000000000-mapping.dmp

Download
memory/1224-65-0x0000000000920000-0x0000000000A98000-memory.dmp

Filesize
1.5MB

Download
memory/1224-66-0x0000000000840000-0x000000000085C000-memory.dmp

Filesize
112KB

Download
memory/1224-67-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/1224-68-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1224-69-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/1224-70-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/1224-71-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/1224-72-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/1224-63-0x0000000000000000-mapping.dmp

Download
memory/1612-73-0x0000000000000000-mapping.dmp

Download
memory/1612-76-0x0000000000370000-0x00000000004E8000-memory.dmp

Filesize
1.5MB

Download
memory/1612-77-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads