dcrat | 3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
Size

1.1MB
MD5

96e7fbbe91a544face9f073d359eb4f6
SHA1

f148a329a3a8bb6bc97ccc01139a3651eef3d8bd
SHA256

3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483
SHA512

95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569
SSDEEP

24576:xKdL0OLe2/fCNK1PfW9ckdV6Yit9shid+4:gd0IvkKJH0D

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4860-132-0x0000000000660000-0x0000000000780000-memory.dmp	dcrat
C:\Windows\System32\deploymentcsps\dllhost.exe	dcrat
C:\Windows\System32\deploymentcsps\dllhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

4516 dllhost.exe

pid	process
4516	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

Drops file in System32 directory 4 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

description	ioc	process
File created	C:\Windows\System32\deploymentcsps\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
File created	C:\Windows\System32\deploymentcsps\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
File created	C:\Windows\System32\wbem\PrintManagementProvider\WmiPrvSE.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
File created	C:\Windows\System32\wbem\PrintManagementProvider\24dbde2999530ef5fd907494bc374d663924116c	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4084 schtasks.exe
1536 schtasks.exe
1868 schtasks.exe
4300 schtasks.exe
3364 schtasks.exe
1660 schtasks.exe

pid	process
4084	schtasks.exe
1536	schtasks.exe
1868	schtasks.exe
4300	schtasks.exe
3364	schtasks.exe
1660	schtasks.exe

Modifies registry class 1 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4348 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedllhost.exe

pid process

4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
4516 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exedllhost.exe

description pid process

Token: SeDebugPrivilege 4860 HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
Token: SeDebugPrivilege 4516 dllhost.exe

pid	process
4348	PING.EXE

pid	process
4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
4516	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
Token: SeDebugPrivilege	4516	dllhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.execmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 1536	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1536	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1868	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1868	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 4300	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 4300	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 3364	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 3364	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1660	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1660	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 4084	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 4084	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	schtasks.exe
PID 4860 wrote to memory of 1628	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	cmd.exe
PID 4860 wrote to memory of 1628	4860	HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe	cmd.exe
PID 1628 wrote to memory of 1604	1628	cmd.exe	chcp.com
PID 1628 wrote to memory of 1604	1628	cmd.exe	chcp.com
PID 1628 wrote to memory of 4348	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4348	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4516	1628	cmd.exe	dllhost.exe
PID 1628 wrote to memory of 4516	1628	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jawshtml\HEUR-Trojan-Spy.MSIL.Stealer.gen-3d8e8ce36a6a.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\deploymentcsps\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3364

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Application Data\smss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PrintManagementProvider\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1ZexmEaf4.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1604

C:\Windows\system32\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:4348

C:\Windows\System32\deploymentcsps\dllhost.exe
"C:\Windows\System32\deploymentcsps\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s1ZexmEaf4.bat
Filesize
212B

MD5
d557f97584b67cda36aab47b2264e37c

SHA1
6592c947952684e80903f230ca5323436f78b960

SHA256
236ef06af69226e31c2073b6384959ba6ea7cf217484181b5fb7a331dad41676

SHA512
acee98a5acaac461fa182fdda999123fb49b515f3c8a706296e67d9ee28d69266fda50861b0a9332bb564b60f2ec08135aaf1e5d499207a49e55a9305dddde4a

Download Submit
C:\Windows\System32\deploymentcsps\dllhost.exe
Filesize
1.1MB

MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
C:\Windows\System32\deploymentcsps\dllhost.exe
Filesize
1.1MB

MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
memory/1536-134-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000000000000-mapping.dmp

Download
memory/1628-140-0x0000000000000000-mapping.dmp

Download
memory/1660-138-0x0000000000000000-mapping.dmp

Download
memory/1868-135-0x0000000000000000-mapping.dmp

Download
memory/3364-137-0x0000000000000000-mapping.dmp

Download
memory/4084-139-0x0000000000000000-mapping.dmp

Download
memory/4300-136-0x0000000000000000-mapping.dmp

Download
memory/4348-144-0x0000000000000000-mapping.dmp

Download
memory/4516-145-0x0000000000000000-mapping.dmp

Download
memory/4516-148-0x00007FFB75730000-0x00007FFB761F1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-149-0x00007FFB75730000-0x00007FFB761F1000-memory.dmp

Filesize
10.8MB

Download
memory/4860-143-0x00007FFB75BA0000-0x00007FFB76661000-memory.dmp

Filesize
10.8MB

Download
memory/4860-132-0x0000000000660000-0x0000000000780000-memory.dmp

Filesize
1.1MB

Download
memory/4860-133-0x00007FFB75BA0000-0x00007FFB76661000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads