dcrat | da42677a574b2f5e9ac01fb0c3436bdf029576f1301d2c7ee6fe0ef30f535b9e

General

Target

tmp.exe
Size

3.7MB
MD5

3046d5ac745d33c5b5ea76db29ccc58e
SHA1

6711bd52d11fb81d34552bda8f7819b97341bd41
SHA256

da42677a574b2f5e9ac01fb0c3436bdf029576f1301d2c7ee6fe0ef30f535b9e
SHA512

b20dfc9b05de7116f52569a8317236d5790f6738bb56131d9bc0b642a38f4c74a90e7b8f1a5fba0d97af33388f1de161530fd11c83fb98565d2d897b572ac074
SSDEEP

98304:3LsCPUwTp1ATLdiRmAAnQ8AoY0JxDow5FXJ8QAyFqbpu8:7KwXAdLPYCUc2QDFmV

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	364	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
behavioral2/memory/4296-147-0x0000000000060000-0x00000000001C2000-memory.dmp	dcrat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\winlogon.exe	dcrat
C:\Users\Default\Templates\winlogon.exe	dcrat

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

system.exesys.exewinlogon.exe

pid process

4168 system.exe
4296 sys.exe
1180 winlogon.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sys.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation sys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 2416 set thread context of 2268 2416 tmp.exe AppLaunch.exe

pid	process
4168	system.exe
4296	sys.exe
1180	winlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	sys.exe

description	pid	process	target process
PID 2416 set thread context of 2268	2416	tmp.exe	AppLaunch.exe

Drops file in Program Files directory 3 IoCs

Processes:

sys.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe	sys.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe	sys.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\cc11b995f2a76d	sys.exe

Drops file in Windows directory 2 IoCs

Processes:

sys.exe

description ioc process

File created C:\Windows\Tasks\SearchApp.exe sys.exe
File created C:\Windows\Tasks\38384e6a620884 sys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\SearchApp.exe	sys.exe
File created	C:\Windows\Tasks\38384e6a620884	sys.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3340	schtasks.exe
1396	schtasks.exe
1732	schtasks.exe
4076	schtasks.exe
1016	schtasks.exe
1568	schtasks.exe
1572	schtasks.exe
4156	schtasks.exe
1068	schtasks.exe
4936	schtasks.exe
4048	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

sys.exewinlogon.exe

pid	process
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe
1180	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

1180 winlogon.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exesys.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 2268 AppLaunch.exe
Token: SeDebugPrivilege 4296 sys.exe
Token: SeDebugPrivilege 1180 winlogon.exe

pid	process
1180	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	2268	AppLaunch.exe
Token: SeDebugPrivilege	4296	sys.exe
Token: SeDebugPrivilege	1180	winlogon.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exeAppLaunch.exesystem.exesys.exe

description	pid	process	target process
PID 2416 wrote to memory of 2268	2416	tmp.exe	AppLaunch.exe
PID 2416 wrote to memory of 2268	2416	tmp.exe	AppLaunch.exe
PID 2416 wrote to memory of 2268	2416	tmp.exe	AppLaunch.exe
PID 2416 wrote to memory of 2268	2416	tmp.exe	AppLaunch.exe
PID 2416 wrote to memory of 2268	2416	tmp.exe	AppLaunch.exe
PID 2268 wrote to memory of 4168	2268	AppLaunch.exe	system.exe
PID 2268 wrote to memory of 4168	2268	AppLaunch.exe	system.exe
PID 2268 wrote to memory of 4168	2268	AppLaunch.exe	system.exe
PID 4168 wrote to memory of 4916	4168	system.exe	cmd.exe
PID 4168 wrote to memory of 4916	4168	system.exe	cmd.exe
PID 4168 wrote to memory of 4916	4168	system.exe	cmd.exe
PID 2268 wrote to memory of 4296	2268	AppLaunch.exe	sys.exe
PID 2268 wrote to memory of 4296	2268	AppLaunch.exe	sys.exe
PID 4296 wrote to memory of 1180	4296	sys.exe	winlogon.exe
PID 4296 wrote to memory of 1180	4296	sys.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
4⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\sys.exe
"C:\Users\Admin\AppData\Local\Temp\sys.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Default\Templates\winlogon.exe
"C:\Users\Default\Templates\winlogon.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Tasks\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
2.5MB

MD5
d4c1aa3204a0a20362be094af647d35c

SHA1
f4078cff90e96e64477c3a5ecf9f7b4c5f41a888

SHA256
6b17273197480205ca53e9cca4298dc16346b65ac29d5ca883690ab1ff1b4183

SHA512
2891a2b728d0363a55a15d2159702407ebe7132a325038747240d5768b3e43d85f0ed9bf22c4c4c1cbc1658bd4271bad69ad24117fb6f50f1b2ac1dc9f657ac2

Download Submit
C:\Users\Admin\AppData\Roaming\bebra.exe

Filesize
5B

MD5
8b1a9953c4611296a827abf8c47804d7

SHA1
f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

SHA256
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

SHA512
3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\winlogon.exe

Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Default\Templates\winlogon.exe

Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
memory/1180-152-0x0000000000000000-mapping.dmp

Download
memory/1180-157-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-156-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2268-134-0x0000000000000000-mapping.dmp

Download
memory/2416-132-0x00000000008D0000-0x0000000000E4A000-memory.dmp

Filesize
5.5MB

Download
memory/4168-141-0x0000000000000000-mapping.dmp

Download
memory/4296-151-0x000000001CA80000-0x000000001CFA8000-memory.dmp

Filesize
5.2MB

Download
memory/4296-150-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/4296-149-0x000000001C3D0000-0x000000001C420000-memory.dmp

Filesize
320KB

Download
memory/4296-144-0x0000000000000000-mapping.dmp

Download
memory/4296-155-0x00007FFE4E700000-0x00007FFE4F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/4296-147-0x0000000000060000-0x00000000001C2000-memory.dmp

Filesize
1.4MB

Download
memory/4916-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads