dcrat | d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

General

Target

bbd5709ac40896d243f619941d4789c3.exe
Size

1.4MB
MD5

bbd5709ac40896d243f619941d4789c3
SHA1

d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0
SHA256

d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087
SHA512

61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92
SSDEEP

24576:sWcUeg8DqSBzKMC5n9yjh7VU6KSQBVh5iIq0YLCTayC7NR:PNepqeGMCG9nKLPhIIqjGWyC5

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1280	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1280	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4160-132-0x00000000009D0000-0x0000000000B32000-memory.dmp	dcrat
C:\odt\Idle.exe	dcrat
C:\odt\Idle.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

3472 Idle.exe

pid	process
3472	Idle.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	bbd5709ac40896d243f619941d4789c3.exe

Drops file in Program Files directory 4 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\sihost.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Windows Multimedia Platform\66fc9ff0ee96c2	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Windows Photo Viewer\System.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Windows Photo Viewer\27d1bcfc3c54e0	bbd5709ac40896d243f619941d4789c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4320	schtasks.exe
3880	schtasks.exe
2364	schtasks.exe
1588	schtasks.exe
2300	schtasks.exe
1648	schtasks.exe
644	schtasks.exe
4332	schtasks.exe
3300	schtasks.exe
3852	schtasks.exe
4560	schtasks.exe
1236	schtasks.exe
4276	schtasks.exe
3404	schtasks.exe
2272	schtasks.exe
4732	schtasks.exe
1540	schtasks.exe
456	schtasks.exe

Modifies registry class 1 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	bbd5709ac40896d243f619941d4789c3.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exeIdle.exe

pid	process
4160	bbd5709ac40896d243f619941d4789c3.exe
4160	bbd5709ac40896d243f619941d4789c3.exe
4160	bbd5709ac40896d243f619941d4789c3.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe
3472	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid process

3472 Idle.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exeIdle.exe

description pid process

Token: SeDebugPrivilege 4160 bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege 3472 Idle.exe

pid	process
3472	Idle.exe

description	pid	process
Token: SeDebugPrivilege	4160	bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege	3472	Idle.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.execmd.exe

description	pid	process	target process
PID 4160 wrote to memory of 728	4160	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 4160 wrote to memory of 728	4160	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 728 wrote to memory of 3868	728	cmd.exe	w32tm.exe
PID 728 wrote to memory of 3868	728	cmd.exe	w32tm.exe
PID 728 wrote to memory of 3472	728	cmd.exe	Idle.exe
PID 728 wrote to memory of 3472	728	cmd.exe	Idle.exe

C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe
"C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ePW2wqFIk.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3868

C:\odt\Idle.exe
"C:\odt\Idle.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ePW2wqFIk.bat
Filesize
180B

MD5
aa44cb92ca12a42e477e9d3b614c1edd

SHA1
02368b64c51bba7a53cc3327da3ed7b9ccc80ad4

SHA256
671f6517e587e4622cefacd4a4a519b83bdbcabd2eb0d49cee32e274af89d4e4

SHA512
76e8efdbc1a11c9c41095b77c57a4dcdafc546d5866f644aa8b66f1392d463afaea5e9c4a95184b8fba3ad96f95e24b7119121ad3eca4eec41157a9dd345a0c3

Download Submit
C:\odt\Idle.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\odt\Idle.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
memory/728-136-0x0000000000000000-mapping.dmp

Download
memory/3472-144-0x00007FFA22CD0000-0x00007FFA23791000-memory.dmp

Filesize
10.8MB

Download
memory/3472-143-0x00007FFA22CD0000-0x00007FFA23791000-memory.dmp

Filesize
10.8MB

Download
memory/3472-140-0x0000000000000000-mapping.dmp

Download
memory/3868-138-0x0000000000000000-mapping.dmp

Download
memory/4160-139-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-132-0x00000000009D0000-0x0000000000B32000-memory.dmp

Filesize
1.4MB

Download
memory/4160-135-0x000000001CFA0000-0x000000001D4C8000-memory.dmp

Filesize
5.2MB

Download
memory/4160-134-0x000000001C8F0000-0x000000001C940000-memory.dmp

Filesize
320KB

Download
memory/4160-133-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads