dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

General

Target

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Size

1.7MB
MD5

c090c2077f7c71e38f4b7fedfe0ef1e3
SHA1

2d01b3e7f9f80961aa6bada443a5d969bf88c052
SHA256

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
SHA512

150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
SSDEEP

24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	5040	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ServerReview\bridgeProviderref.exe	dcrat
C:\ServerReview\bridgeProviderref.exe	dcrat
behavioral2/memory/4868-139-0x0000000000E00000-0x0000000000F78000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	dcrat
C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

bridgeProviderref.execsrss.exe

pid process

4868 bridgeProviderref.exe
2952 csrss.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.exebridgeProviderref.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bridgeProviderref.exe

Drops file in Program Files directory 2 IoCs

Processes:

bridgeProviderref.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	bridgeProviderref.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\886983d96e3d3e	bridgeProviderref.exe

Drops file in Windows directory 2 IoCs

Processes:

bridgeProviderref.exe

description	ioc	process
File created	C:\Windows\Web\4K\Wallpaper\Windows\taskhostw.exe	bridgeProviderref.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\ea9f0e6c9e2dcd	bridgeProviderref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3928	schtasks.exe
3276	schtasks.exe
3896	schtasks.exe
3748	schtasks.exe
2444	schtasks.exe
5004	schtasks.exe
3684	schtasks.exe
2520	schtasks.exe
3228	schtasks.exe
3640	schtasks.exe
1476	schtasks.exe
2364	schtasks.exe

Modifies registry class 2 IoCs

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exebridgeProviderref.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	bridgeProviderref.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

bridgeProviderref.execsrss.exe

pid	process
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
4868	bridgeProviderref.exe
2952	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeProviderref.execsrss.exe

description pid process

Token: SeDebugPrivilege 4868 bridgeProviderref.exe
Token: SeDebugPrivilege 2952 csrss.exe

description	pid	process
Token: SeDebugPrivilege	4868	bridgeProviderref.exe
Token: SeDebugPrivilege	2952	csrss.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.execmd.exebridgeProviderref.execmd.exe

description	pid	process	target process
PID 372 wrote to memory of 3272	372	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 372 wrote to memory of 3272	372	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 372 wrote to memory of 3272	372	a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe	WScript.exe
PID 3272 wrote to memory of 3592	3272	WScript.exe	cmd.exe
PID 3272 wrote to memory of 3592	3272	WScript.exe	cmd.exe
PID 3272 wrote to memory of 3592	3272	WScript.exe	cmd.exe
PID 3592 wrote to memory of 4868	3592	cmd.exe	bridgeProviderref.exe
PID 3592 wrote to memory of 4868	3592	cmd.exe	bridgeProviderref.exe
PID 4868 wrote to memory of 2548	4868	bridgeProviderref.exe	cmd.exe
PID 4868 wrote to memory of 2548	4868	bridgeProviderref.exe	cmd.exe
PID 2548 wrote to memory of 4368	2548	cmd.exe	w32tm.exe
PID 2548 wrote to memory of 4368	2548	cmd.exe	w32tm.exe
PID 2548 wrote to memory of 2952	2548	cmd.exe	csrss.exe
PID 2548 wrote to memory of 2952	2548	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
"C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ServerReview\MzalesUHq9EVa0XF.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\ServerReview\bridgeProviderref.exe
"C:\ServerReview\bridgeProviderref.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZN0utajBaU.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4368

C:\Program Files (x86)\Windows Photo Viewer\csrss.exe
"C:\Program Files (x86)\Windows Photo Viewer\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\Windows\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\csrss.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\csrss.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\MzalesUHq9EVa0XF.vbe
Filesize
211B

MD5
fb66d6d565dce17c5007b0a7e4df8b73

SHA1
1a968335d68201d39ce11439b434721c7c28cdde

SHA256
141fbc97b724eda2dedcba78ca1d5f340a817c56e338c5bf8624afa2477e7736

SHA512
d7c160c69e06862cdc9e626d27c757f267ca75a888ec71ab8ccbaf237173c463f58d79e6775232684e452a4e0910110c318b5ee0f39657590cdbb1c1da6f9fcc

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\bridgeProviderref.exe
Filesize
1.4MB

MD5
8734e10de083db53ee35a423e7d7c9a9

SHA1
eed4e041b8b2e235d5200cdc39fd63ead9989f0f

SHA256
3687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620

SHA512
627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51

Download Submit
C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat
Filesize
39B

MD5
dbba88d93e1a4c249cd8c44bd99cf3d3

SHA1
75bf459416022380605880066cc0bef81966b4f8

SHA256
e8f43b3eb90675247331fbba6091b365bf672bf4096de426af3ac9c627c23462

SHA512
38f65e02dfc2b95aaf626040dac731b7e997aba3873cd832bac29e39e7afcfc52b9b46ea5cde943a5fa55889a45cddaaa753fea071822d4c9060e00c89706b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZN0utajBaU.bat
Filesize
218B

MD5
ab960a5f2e85a233c3f7361e849faf47

SHA1
ffb59fbe155705e7411bd3364deaad3ca69df849

SHA256
abb1de87be6b004dfecd58f311275ae4f8ec75f351b6a09ff19202aa5193c427

SHA512
c957135f61629178b20972e03ae1348dad0f05622ac0a96df67e1e80653f1a7c2b2829a90f1e52e9cdbd44972fafe98ea388b38d3660c370e530e8e318ec31d6

Download Submit
memory/2548-144-0x0000000000000000-mapping.dmp

Download
memory/2952-153-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/2952-148-0x0000000000000000-mapping.dmp

Download
memory/2952-152-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/2952-151-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/3272-132-0x0000000000000000-mapping.dmp

Download
memory/3592-135-0x0000000000000000-mapping.dmp

Download
memory/4368-146-0x0000000000000000-mapping.dmp

Download
memory/4868-142-0x000000001D4B0000-0x000000001D9D8000-memory.dmp

Filesize
5.2MB

Download
memory/4868-147-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/4868-143-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/4868-141-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/4868-140-0x00007FF8B3E90000-0x00007FF8B4951000-memory.dmp

Filesize
10.8MB

Download
memory/4868-139-0x0000000000E00000-0x0000000000F78000-memory.dmp

Filesize
1.5MB

Download
memory/4868-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads