dcrat | 01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

General

Target

b313d25c0fed1c6069e6a72e73a5751f.exe
Size

1.2MB
MD5

b313d25c0fed1c6069e6a72e73a5751f
SHA1

1717db41053d68f4b6cb0619eaee7d7617a6ebc9
SHA256

01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd
SHA512

6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3
SSDEEP

24576:1oz7PdSo8OhfvG83PxEXY5TZ95f+bYy4HKTtadCK2yseqa+B:1odSo80/GXC9+bl4ewpEe+

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1388	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1080-54-0x0000000001270000-0x00000000013A6000-memory.dmp	dcrat
C:\Users\Admin\Contacts\WmiPrvSE.exe	dcrat
C:\Users\Admin\Contacts\WmiPrvSE.exe	dcrat
behavioral1/memory/1524-61-0x0000000000C40000-0x0000000000D76000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

WmiPrvSE.exe

pid process

1524 WmiPrvSE.exe

pid	process
1524	WmiPrvSE.exe

Drops file in Program Files directory 2 IoCs

Processes:

b313d25c0fed1c6069e6a72e73a5751f.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe	b313d25c0fed1c6069e6a72e73a5751f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\75a57c1bdf437c	b313d25c0fed1c6069e6a72e73a5751f.exe

Drops file in Windows directory 3 IoCs

Processes:

b313d25c0fed1c6069e6a72e73a5751f.exe

description	ioc	process
File created	C:\Windows\es-ES\csrss.exe	b313d25c0fed1c6069e6a72e73a5751f.exe
File opened for modification	C:\Windows\es-ES\csrss.exe	b313d25c0fed1c6069e6a72e73a5751f.exe
File created	C:\Windows\es-ES\886983d96e3d3e	b313d25c0fed1c6069e6a72e73a5751f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
680	schtasks.exe
316	schtasks.exe
1832	schtasks.exe
868	schtasks.exe
1288	schtasks.exe
2020	schtasks.exe
1296	schtasks.exe
468	schtasks.exe
1796	schtasks.exe
1432	schtasks.exe
1960	schtasks.exe
1732	schtasks.exe
1232	schtasks.exe
1000	schtasks.exe
1008	schtasks.exe
1776	schtasks.exe
928	schtasks.exe
744	schtasks.exe
1424	schtasks.exe
968	schtasks.exe
1644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b313d25c0fed1c6069e6a72e73a5751f.exeWmiPrvSE.exe

pid	process
1080	b313d25c0fed1c6069e6a72e73a5751f.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe
1524	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b313d25c0fed1c6069e6a72e73a5751f.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 1080 b313d25c0fed1c6069e6a72e73a5751f.exe
Token: SeDebugPrivilege 1524 WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1080	b313d25c0fed1c6069e6a72e73a5751f.exe
Token: SeDebugPrivilege	1524	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b313d25c0fed1c6069e6a72e73a5751f.exe

description	pid	process	target process
PID 1080 wrote to memory of 1524	1080	b313d25c0fed1c6069e6a72e73a5751f.exe	WmiPrvSE.exe
PID 1080 wrote to memory of 1524	1080	b313d25c0fed1c6069e6a72e73a5751f.exe	WmiPrvSE.exe
PID 1080 wrote to memory of 1524	1080	b313d25c0fed1c6069e6a72e73a5751f.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\b313d25c0fed1c6069e6a72e73a5751f.exe
"C:\Users\Admin\AppData\Local\Temp\b313d25c0fed1c6069e6a72e73a5751f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\Contacts\WmiPrvSE.exe
"C:\Users\Admin\Contacts\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\WmiPrvSE.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
C:\Users\Admin\Contacts\WmiPrvSE.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
memory/1080-54-0x0000000001270000-0x00000000013A6000-memory.dmp

Filesize
1.2MB

Download
memory/1080-55-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1080-56-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/1080-57-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1524-58-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000C40000-0x0000000000D76000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads