dcrat | cd349d60bec07656d19b9c1c515ea91bf0b8479119efee85b695003e41016cb0

General

Target

file.exe
Size

1.1MB
MD5

891e40a67cf2947614a49eac3e5da46f
SHA1

e4d356ec2ff910b8d3e65d13eb44be72aefa6eb4
SHA256

cd349d60bec07656d19b9c1c515ea91bf0b8479119efee85b695003e41016cb0
SHA512

3cd15f70c1cc5b93203fad9c460cb2ed2c795afd96366a28d6dbc291f1972f5f0ac7712d41216376eb65a25cdc0a20a4702059634080fbf786c1f1315067b505
SSDEEP

24576:u2G/nvxW3WieC48NP/nX2UYv1BmaH+a7BMq:ubA3jBHnGUYvNH+8

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	5088	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
C:\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
behavioral2/memory/2992-139-0x0000000000780000-0x0000000000856000-memory.dmp	dcrat
C:\odt\upfc.exe	dcrat
C:\odt\upfc.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

reviewHost.exeupfc.exe

pid process

2992 reviewHost.exe
3804 upfc.exe

pid	process
2992	reviewHost.exe
3804	upfc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeWScript.exereviewHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	reviewHost.exe

Drops file in Program Files directory 3 IoCs

Processes:

reviewHost.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	reviewHost.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	reviewHost.exe
File created	C:\Program Files\Microsoft Office 15\9e8d7a4ca61bd9	reviewHost.exe

Drops file in Windows directory 1 IoCs

Processes:

reviewHost.exe

description ioc process

File created C:\Windows\WaaS\services\services.exe reviewHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\WaaS\services\services.exe	reviewHost.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4520	schtasks.exe
1868	schtasks.exe
5108	schtasks.exe
376	schtasks.exe
1060	schtasks.exe
4316	schtasks.exe
2592	schtasks.exe
1064	schtasks.exe
1100	schtasks.exe
944	schtasks.exe
3036	schtasks.exe
776	schtasks.exe
488	schtasks.exe
4348	schtasks.exe
2664	schtasks.exe
692	schtasks.exe
3388	schtasks.exe
4300	schtasks.exe
4572	schtasks.exe
4372	schtasks.exe
4556	schtasks.exe

Modifies registry class 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings file.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

reviewHost.exeupfc.exe

pid process

2992 reviewHost.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
3804 upfc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

upfc.exe

pid process

3804 upfc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewHost.exeupfc.exe

description pid process

Token: SeDebugPrivilege 2992 reviewHost.exe
Token: SeDebugPrivilege 3804 upfc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	file.exe

pid	process
2992	reviewHost.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe
3804	upfc.exe

pid	process
3804	upfc.exe

description	pid	process
Token: SeDebugPrivilege	2992	reviewHost.exe
Token: SeDebugPrivilege	3804	upfc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

file.exeWScript.execmd.exereviewHost.exe

description	pid	process	target process
PID 3676 wrote to memory of 2696	3676	file.exe	WScript.exe
PID 3676 wrote to memory of 2696	3676	file.exe	WScript.exe
PID 3676 wrote to memory of 2696	3676	file.exe	WScript.exe
PID 2696 wrote to memory of 3308	2696	WScript.exe	cmd.exe
PID 2696 wrote to memory of 3308	2696	WScript.exe	cmd.exe
PID 2696 wrote to memory of 3308	2696	WScript.exe	cmd.exe
PID 3308 wrote to memory of 2992	3308	cmd.exe	reviewHost.exe
PID 3308 wrote to memory of 2992	3308	cmd.exe	reviewHost.exe
PID 2992 wrote to memory of 3804	2992	reviewHost.exe	upfc.exe
PID 2992 wrote to memory of 3804	2992	reviewHost.exe	upfc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hyperAgentFontruntimecrt\knppr2OhYNrDcsHABVUWa9t9.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hyperAgentFontruntimecrt\8coh2Db8oe1OMJcuBsHgyEY4Vgv.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\hyperAgentFontruntimecrt\reviewHost.exe
"C:\hyperAgentFontruntimecrt\reviewHost.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\odt\upfc.exe
"C:\odt\upfc.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\hyperAgentFontruntimecrt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hyperAgentFontruntimecrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\hyperAgentFontruntimecrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\hyperAgentFontruntimecrt\8coh2Db8oe1OMJcuBsHgyEY4Vgv.bat

Filesize
44B

MD5
dee5d18f8b03004aedda53a4f918bdd6

SHA1
981bd345473f200a185ce5068641a8c1ef5bc9a1

SHA256
c6363b2447b1155461ca9a15577d9d41234cfd4bfa38c600dbddce982d3c845c

SHA512
a8c7c45e3d3d63cfa02756bf8d28bd25ad40fc2b8d500d92771a81da956b67c045fcb6cedc8cae9bab84213bea29b88e7bef08f9815a55618215ab2028b37ff4

Download Submit
C:\hyperAgentFontruntimecrt\knppr2OhYNrDcsHABVUWa9t9.vbe

Filesize
228B

MD5
b622f5403cab06388a6e7e74971b9ed5

SHA1
72a3b926c643768fcf6d185e8ca9335a2f3b5fe6

SHA256
56b3436fc9e59276a6362243c0dd815ea65fa8ec3986f57b52d8886134db9352

SHA512
cf8e5a421cd75d62ea66aa84499db7c29039bec38b4d925ef6f09d15f14bab8961fe7ed4ff73b828cdce4e900bb6b58b7aaf2c6b0715302b11e5ed2f287ba75d

Download Submit
C:\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\odt\upfc.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\odt\upfc.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
memory/2696-132-0x0000000000000000-mapping.dmp

Download
memory/2992-136-0x0000000000000000-mapping.dmp

Download
memory/2992-139-0x0000000000780000-0x0000000000856000-memory.dmp

Filesize
856KB

Download
memory/2992-140-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp

Filesize
10.8MB

Download
memory/2992-144-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp

Filesize
10.8MB

Download
memory/3308-135-0x0000000000000000-mapping.dmp

Download
memory/3804-141-0x0000000000000000-mapping.dmp

Download
memory/3804-145-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp

Filesize
10.8MB

Download
memory/3804-146-0x00007FFC65DD0000-0x00007FFC66891000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads