dcrat | ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae

General

Target

0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
Size

2.3MB
MD5

0bcf1a7b50ed4504fdaf2e11cea6aea7
SHA1

3a7484b337392285c53212953c9cd9ca02c8070c
SHA256

ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae
SHA512

8c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97
SSDEEP

49152:uUcZje2m3S7IdNuzPkAdmHsudtexRRuq0Ek4pbz6:uNe2KS7IAPkNHsG37gK

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2016	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/840-54-0x0000000000860000-0x0000000000AAE000-memory.dmp	dcrat
C:\Users\Admin\Saved Games\csrss.exe	dcrat
C:\Users\Admin\Saved Games\csrss.exe	dcrat
behavioral1/memory/980-63-0x0000000000B00000-0x0000000000D4E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

980 csrss.exe

pid	process
980	csrss.exe

Drops file in Program Files directory 10 IoCs

Processes:

0bcf1a7b50ed4504fdaf2e11cea6aea7.exe

description	ioc	process
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files\DVD Maker\fr-FR\27d1bcfc3c54e0	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files\Windows Media Player\es-ES\24dbde2999530e	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files\DVD Maker\fr-FR\System.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files (x86)\Reference Assemblies\System.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Program Files (x86)\Reference Assemblies\27d1bcfc3c54e0	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe

Drops file in Windows directory 3 IoCs

Processes:

0bcf1a7b50ed4504fdaf2e11cea6aea7.exe

description	ioc	process
File created	C:\Windows\TAPI\services.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File opened for modification	C:\Windows\TAPI\services.exe	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
File created	C:\Windows\TAPI\c5b4cb5e9653cc	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1696	schtasks.exe
1524	schtasks.exe
1332	schtasks.exe
1944	schtasks.exe
936	schtasks.exe
1392	schtasks.exe
1996	schtasks.exe
768	schtasks.exe
1400	schtasks.exe
1512	schtasks.exe
592	schtasks.exe
928	schtasks.exe
1532	schtasks.exe
828	schtasks.exe
364	schtasks.exe
1600	schtasks.exe
1220	schtasks.exe
1028	schtasks.exe
1376	schtasks.exe
2032	schtasks.exe
1188	schtasks.exe
1892	schtasks.exe
1660	schtasks.exe
1820	schtasks.exe
1800	schtasks.exe
288	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

0bcf1a7b50ed4504fdaf2e11cea6aea7.execsrss.exe

pid	process
840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe
980	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0bcf1a7b50ed4504fdaf2e11cea6aea7.execsrss.exe

description pid process

Token: SeDebugPrivilege 840 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
Token: SeDebugPrivilege 980 csrss.exe

description	pid	process
Token: SeDebugPrivilege	840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
Token: SeDebugPrivilege	980	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0bcf1a7b50ed4504fdaf2e11cea6aea7.exe

description	pid	process	target process
PID 840 wrote to memory of 980	840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe	csrss.exe
PID 840 wrote to memory of 980	840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe	csrss.exe
PID 840 wrote to memory of 980	840	0bcf1a7b50ed4504fdaf2e11cea6aea7.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
"C:\Users\Admin\AppData\Local\Temp\0bcf1a7b50ed4504fdaf2e11cea6aea7.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\Saved Games\csrss.exe
"C:\Users\Admin\Saved Games\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Saved Games\csrss.exe
Filesize
2.3MB

MD5
0bcf1a7b50ed4504fdaf2e11cea6aea7

SHA1
3a7484b337392285c53212953c9cd9ca02c8070c

SHA256
ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae

SHA512
8c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97

Download Submit
C:\Users\Admin\Saved Games\csrss.exe
Filesize
2.3MB

MD5
0bcf1a7b50ed4504fdaf2e11cea6aea7

SHA1
3a7484b337392285c53212953c9cd9ca02c8070c

SHA256
ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae

SHA512
8c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97

Download Submit
memory/840-54-0x0000000000860000-0x0000000000AAE000-memory.dmp

Filesize
2.3MB

Download
memory/840-55-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/840-56-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/840-57-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/840-58-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/840-59-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/980-60-0x0000000000000000-mapping.dmp

Download
memory/980-63-0x0000000000B00000-0x0000000000D4E000-memory.dmp

Filesize
2.3MB

Download
memory/980-64-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/980-65-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads