dcrat | d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

General

Target

bbd5709ac40896d243f619941d4789c3.exe
Size

1.4MB
MD5

bbd5709ac40896d243f619941d4789c3
SHA1

d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0
SHA256

d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087
SHA512

61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92
SSDEEP

24576:sWcUeg8DqSBzKMC5n9yjh7VU6KSQBVh5iIq0YLCTayC7NR:PNepqeGMCG9nKLPhIIqjGWyC5

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4324	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2348-132-0x00000000001B0000-0x0000000000312000-memory.dmp	dcrat
C:\ProgramData\Microsoft\Windows\Templates\dwm.exe	dcrat
C:\Users\All Users\Templates\dwm.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

428 dwm.exe

pid	process
428	dwm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	bbd5709ac40896d243f619941d4789c3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 5 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
File created	C:\Program Files\Windows Security\System.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Windows Security\27d1bcfc3c54e0	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Idle.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\eddb19405b7ce1	bbd5709ac40896d243f619941d4789c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3540	schtasks.exe
1648	schtasks.exe
4668	schtasks.exe
4236	schtasks.exe
2056	schtasks.exe
5044	schtasks.exe
4428	schtasks.exe
4312	schtasks.exe
2880	schtasks.exe
2588	schtasks.exe
116	schtasks.exe
4240	schtasks.exe
1276	schtasks.exe
3952	schtasks.exe
2228	schtasks.exe
32	schtasks.exe
4308	schtasks.exe
2088	schtasks.exe
1448	schtasks.exe
3256	schtasks.exe
4332	schtasks.exe

Modifies registry class 1 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	bbd5709ac40896d243f619941d4789c3.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exedwm.exe

pid	process
2348	bbd5709ac40896d243f619941d4789c3.exe
2348	bbd5709ac40896d243f619941d4789c3.exe
2348	bbd5709ac40896d243f619941d4789c3.exe
2348	bbd5709ac40896d243f619941d4789c3.exe
2348	bbd5709ac40896d243f619941d4789c3.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe
428	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

428 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exedwm.exe

description pid process

Token: SeDebugPrivilege 2348 bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege 428 dwm.exe

pid	process
428	dwm.exe

description	pid	process
Token: SeDebugPrivilege	2348	bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege	428	dwm.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 1904	2348	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 2348 wrote to memory of 1904	2348	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 1904 wrote to memory of 3940	1904	cmd.exe	w32tm.exe
PID 1904 wrote to memory of 3940	1904	cmd.exe	w32tm.exe
PID 1904 wrote to memory of 428	1904	cmd.exe	dwm.exe
PID 1904 wrote to memory of 428	1904	cmd.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe
"C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TWPzVZgPhl.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3940

C:\Users\All Users\Templates\dwm.exe
"C:\Users\All Users\Templates\dwm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\dwm.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWPzVZgPhl.bat
Filesize
201B

MD5
bec3bc43ad081b5f7250f0806b35c7a8

SHA1
64ad95d15ec113e3e327adb5613ec4303bc10bb8

SHA256
94395580380b1d1a7d9b7811c39241ed8a38673d25b94075d6eba0c14706e811

SHA512
9284e8fdba15300fc3a7d4f254fa176f1b06a8506545dfe7098bcefaad2c88d8795e50332746a894fc48f5b2446446fc514e3026a106386a360dfcffc11c43bc

Download Submit
C:\Users\All Users\Templates\dwm.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
memory/428-140-0x0000000000000000-mapping.dmp

Download
memory/428-143-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmp

Filesize
10.8MB

Download
memory/428-144-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-136-0x0000000000000000-mapping.dmp

Download
memory/2348-134-0x000000001C510000-0x000000001C560000-memory.dmp

Filesize
320KB

Download
memory/2348-135-0x000000001CC20000-0x000000001D148000-memory.dmp

Filesize
5.2MB

Download
memory/2348-132-0x00000000001B0000-0x0000000000312000-memory.dmp

Filesize
1.4MB

Download
memory/2348-139-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2348-133-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3940-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads