dcrat | 4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398

General

Target

4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe
Size

1.1MB
MD5

d1a51393448d979468bee767ff7b1346
SHA1

f7725410f3ca157cfa51eeee0d1e74ff247a5e29
SHA256

4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398
SHA512

f828d72e5d7a8b1bee1b93ef2d8217eec05592c0909599d63b15112791f0db89db021c25b21ace64cf8fa678f115a088e9bee35bb8c89fbdd613463262861602
SSDEEP

24576:U2G/nvxW3Ww0tEdrbS1zU+z9ujMu9uU4RPDbAIA:UbA30UXSvzP0p

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	112	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	112	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe	dcrat
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe	dcrat
behavioral1/memory/2140-139-0x0000000000F60000-0x0000000001036000-memory.dmp	dcrat
C:\Windows\Help\Corporate\SearchApp.exe	dcrat
C:\Windows\Help\Corporate\SearchApp.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

BridgeDriverCommon.exeSearchApp.exe

pid process

2140 BridgeDriverCommon.exe
1500 SearchApp.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exeWScript.exeBridgeDriverCommon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BridgeDriverCommon.exe

Drops file in Program Files directory 4 IoCs

Processes:

BridgeDriverCommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	BridgeDriverCommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	BridgeDriverCommon.exe

Drops file in Windows directory 2 IoCs

Processes:

BridgeDriverCommon.exe

description	ioc	process
File created	C:\Windows\Help\Corporate\SearchApp.exe	BridgeDriverCommon.exe
File created	C:\Windows\Help\Corporate\38384e6a620884	BridgeDriverCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4460	schtasks.exe
4360	schtasks.exe
2872	schtasks.exe
5080	schtasks.exe
3684	schtasks.exe
2956	schtasks.exe
4324	schtasks.exe
1076	schtasks.exe
2000	schtasks.exe
3520	schtasks.exe
3136	schtasks.exe
4572	schtasks.exe
4680	schtasks.exe
812	schtasks.exe
3080	schtasks.exe

Modifies registry class 1 IoCs

Processes:

4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4484 reg.exe

pid	process
4484	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

BridgeDriverCommon.exeSearchApp.exe

pid	process
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
2140	BridgeDriverCommon.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe
1500	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SearchApp.exe

pid process

1500 SearchApp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BridgeDriverCommon.exeSearchApp.exe

description pid process

Token: SeDebugPrivilege 2140 BridgeDriverCommon.exe
Token: SeDebugPrivilege 1500 SearchApp.exe

pid	process
1500	SearchApp.exe

description	pid	process
Token: SeDebugPrivilege	2140	BridgeDriverCommon.exe
Token: SeDebugPrivilege	1500	SearchApp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exeWScript.execmd.exeBridgeDriverCommon.exe

description	pid	process	target process
PID 1684 wrote to memory of 1656	1684	4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe	WScript.exe
PID 1684 wrote to memory of 1656	1684	4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe	WScript.exe
PID 1684 wrote to memory of 1656	1684	4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe	WScript.exe
PID 1656 wrote to memory of 4072	1656	WScript.exe	cmd.exe
PID 1656 wrote to memory of 4072	1656	WScript.exe	cmd.exe
PID 1656 wrote to memory of 4072	1656	WScript.exe	cmd.exe
PID 4072 wrote to memory of 2140	4072	cmd.exe	BridgeDriverCommon.exe
PID 4072 wrote to memory of 2140	4072	cmd.exe	BridgeDriverCommon.exe
PID 2140 wrote to memory of 1500	2140	BridgeDriverCommon.exe	SearchApp.exe
PID 2140 wrote to memory of 1500	2140	BridgeDriverCommon.exe	SearchApp.exe
PID 4072 wrote to memory of 4484	4072	cmd.exe	reg.exe
PID 4072 wrote to memory of 4484	4072	cmd.exe	reg.exe
PID 4072 wrote to memory of 4484	4072	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe
"C:\Users\Admin\AppData\Local\Temp\4b85168bf2297cd4243a987754257fbaebaf409fb04f3fd31f1c6f18c6f98398.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\providernet\5JW4vfCNTz4jaPX41epefvAtcU.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\providernet\gR02jtJ20EOK.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
"C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\Help\Corporate\SearchApp.exe
"C:\Windows\Help\Corporate\SearchApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Corporate\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Corporate\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\providernet\5JW4vfCNTz4jaPX41epefvAtcU.vbe
Filesize
207B

MD5
4f2173af6d5d8baa1f99148ec2aa22fd

SHA1
bc9633563fce3a1b564c60ce540bc92e47868098

SHA256
0bf76873e76f595702f842474a50891f8eff86db2ae0c4a8bfce598320e3b98a

SHA512
69cf2eed5300afe97bf7c59886c9d7a8cf9e83430cd91c90ac34df34ec5ba338b1c3fcff7646a3ce4c6621a8c143601d7e54d76e1b5bd14922aa094178bbe2f4

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
Filesize
829KB

MD5
247ce6eb728349379a633110659badd3

SHA1
a792d026382084ebbd8d9d7bcf6482393f567183

SHA256
72c582fe7e640b56b9b37a00ccea8151e98f8fa0708b1e5609ba50b8ee83d927

SHA512
559cce56968ed8275e8c4d220e36d75918f2581e84af2082270f8af77772eafbc5bc83b0c22a168b0f33076bca83205ee42c32353c13fde9df0e1560d563d0d2

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\BridgeDriverCommon.exe
Filesize
829KB

MD5
247ce6eb728349379a633110659badd3

SHA1
a792d026382084ebbd8d9d7bcf6482393f567183

SHA256
72c582fe7e640b56b9b37a00ccea8151e98f8fa0708b1e5609ba50b8ee83d927

SHA512
559cce56968ed8275e8c4d220e36d75918f2581e84af2082270f8af77772eafbc5bc83b0c22a168b0f33076bca83205ee42c32353c13fde9df0e1560d563d0d2

Download Submit
C:\Users\Admin\AppData\Roaming\providernet\gR02jtJ20EOK.bat
Filesize
158B

MD5
2f7acb46c6cf751eb8dc3ddce96e4303

SHA1
65ad2e7b73840b6652546d040eab78cb5c51b6fb

SHA256
54e27a15b7d052f48e619e0329967e7cddab696489b7968cdf90b223a0b63906

SHA512
144a592c510259a5b6b2b634d260b3a6c5926322de16168a416c68ab3c230b2ab147b60c2a8c0b70eec96c3d1bd737aac583948abe12d24dfe5b0beda7f46046

Download Submit
C:\Windows\Help\Corporate\SearchApp.exe
Filesize
829KB

MD5
247ce6eb728349379a633110659badd3

SHA1
a792d026382084ebbd8d9d7bcf6482393f567183

SHA256
72c582fe7e640b56b9b37a00ccea8151e98f8fa0708b1e5609ba50b8ee83d927

SHA512
559cce56968ed8275e8c4d220e36d75918f2581e84af2082270f8af77772eafbc5bc83b0c22a168b0f33076bca83205ee42c32353c13fde9df0e1560d563d0d2

Download Submit
C:\Windows\Help\Corporate\SearchApp.exe
Filesize
829KB

MD5
247ce6eb728349379a633110659badd3

SHA1
a792d026382084ebbd8d9d7bcf6482393f567183

SHA256
72c582fe7e640b56b9b37a00ccea8151e98f8fa0708b1e5609ba50b8ee83d927

SHA512
559cce56968ed8275e8c4d220e36d75918f2581e84af2082270f8af77772eafbc5bc83b0c22a168b0f33076bca83205ee42c32353c13fde9df0e1560d563d0d2

Download Submit
memory/1500-147-0x00007FFE2FB80000-0x00007FFE30641000-memory.dmp

Filesize
10.8MB

Download
memory/1500-146-0x00007FFE2FB80000-0x00007FFE30641000-memory.dmp

Filesize
10.8MB

Download
memory/1500-141-0x0000000000000000-mapping.dmp

Download
memory/1656-132-0x0000000000000000-mapping.dmp

Download
memory/2140-140-0x00007FFE2FB80000-0x00007FFE30641000-memory.dmp

Filesize
10.8MB

Download
memory/2140-139-0x0000000000F60000-0x0000000001036000-memory.dmp

Filesize
856KB

Download
memory/2140-144-0x00007FFE2FB80000-0x00007FFE30641000-memory.dmp

Filesize
10.8MB

Download
memory/2140-136-0x0000000000000000-mapping.dmp

Download
memory/4072-135-0x0000000000000000-mapping.dmp

Download
memory/4484-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads