dcrat | f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

General

Target

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Size

1.5MB
MD5

142fc3f98e2b78474c392c72a6e4b826
SHA1

85e4bf6f82e3bc640652df5982a937fa1457e541
SHA256

f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
SHA512

f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964
SSDEEP

24576:fClaqwJlj0Wxxjb2dTGH7i3uOpK4KH/cKgphBhxqdvhm/Y3TnJ6f:fCqlj0exjxH7xn/WphBhg8A7J

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/588-65-0x000000000051817E-mapping.dmp	dcrat
behavioral1/memory/588-66-0x0000000000330000-0x0000000000454000-memory.dmp	dcrat
behavioral1/memory/588-67-0x0000000000330000-0x0000000000454000-memory.dmp	dcrat
behavioral1/memory/588-71-0x0000000000330000-0x0000000000454000-memory.dmp	dcrat
behavioral1/memory/588-74-0x0000000000330000-0x0000000000454000-memory.dmp	dcrat
behavioral1/memory/436-90-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/436-91-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/436-93-0x000000000051817E-mapping.dmp	dcrat
behavioral1/memory/436-88-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/436-98-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/436-96-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

1136 csrss.exe
436 csrss.exe
Loads dropped DLL 1 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

pid process

588 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

pid	process
1136	csrss.exe
436	csrss.exe

pid	process
588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Drops file in System32 directory 7 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wbem\wbemdisp\WmiPrvSE.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wbemdisp\WmiPrvSE.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\wbem\wbemdisp\24dbde2999530ef5fd907494bc374d663924116c	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\ndptsp\csrss.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\ndptsp\886983d96e3d3e31032c679b2d4ea91b6c05afef	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\nlsbres\winlogon.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\nlsbres\cc11b995f2a76da408ea6a601e682e64743153ad	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.execsrss.exe

description	pid	process	target process
PID 1276 set thread context of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1136 set thread context of 436	1136	csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1556 schtasks.exe
844 schtasks.exe
900 schtasks.exe
1648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.execsrss.exe

pid process

588 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
436 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.execsrss.exe

description pid process

Token: SeDebugPrivilege 588 HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Token: SeDebugPrivilege 436 csrss.exe

pid	process
1556	schtasks.exe
844	schtasks.exe
900	schtasks.exe
1648	schtasks.exe

pid	process
588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
436	csrss.exe

description	pid	process
Token: SeDebugPrivilege	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Token: SeDebugPrivilege	436	csrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.execsrss.exe

description	pid	process	target process
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1276 wrote to memory of 588	1276	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 588 wrote to memory of 900	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 900	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 900	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 900	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1648	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1648	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1648	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1648	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1556	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1556	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1556	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1556	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 844	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 844	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 844	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 844	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 588 wrote to memory of 1136	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	csrss.exe
PID 588 wrote to memory of 1136	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	csrss.exe
PID 588 wrote to memory of 1136	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	csrss.exe
PID 588 wrote to memory of 1136	588	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe
PID 1136 wrote to memory of 436	1136	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"{path}"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wbemdisp\WmiPrvSE.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\ndptsp\csrss.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\nlsbres\winlogon.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\ndptsp\csrss.exe
"C:\Windows\System32\ndptsp\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\ndptsp\csrss.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ndptsp\csrss.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
C:\Windows\SysWOW64\ndptsp\csrss.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
C:\Windows\SysWOW64\ndptsp\csrss.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
\Windows\SysWOW64\ndptsp\csrss.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
memory/436-96-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/436-98-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/436-88-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/436-93-0x000000000051817E-mapping.dmp

Download
memory/436-91-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/436-90-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/588-66-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/588-58-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/588-57-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/588-65-0x000000000051817E-mapping.dmp

Download
memory/588-67-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/588-75-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/588-71-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/588-74-0x0000000000330000-0x0000000000454000-memory.dmp

Filesize
1.1MB

Download
memory/844-79-0x0000000000000000-mapping.dmp

Download
memory/900-76-0x0000000000000000-mapping.dmp

Download
memory/1136-81-0x0000000000000000-mapping.dmp

Download
memory/1136-84-0x0000000001000000-0x000000000118A000-memory.dmp

Filesize
1.5MB

Download
memory/1276-54-0x0000000000030000-0x00000000001BA000-memory.dmp

Filesize
1.5MB

Download
memory/1276-56-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1276-55-0x00000000072D0000-0x0000000007514000-memory.dmp

Filesize
2.3MB

Download
memory/1556-78-0x0000000000000000-mapping.dmp

Download
memory/1648-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads