dcrat | a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84

General

Target

9sUsHji0MKVo7U2RZ9gX14M.exe
Size

1.1MB
MD5

199ccc5abc45dd2c45831f1de72bb58a
SHA1

d832e8a52a971432fc575088e37831faec7008f2
SHA256

a6b84afa6a28c6032c427152885270d3849a6a4134e442cac42e3f78becefc84
SHA512

9f5b808d0d7a2cc09f5455f0090abb763d47d53dea18be3f5e2d44bb2eead80e6934491f13f7def2e17e1e3b89b2103fc122c337adf7243d5b9876e001bf67fc
SSDEEP

12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\odt\\Registry.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\", \"C:\\odt\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4216	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4216	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2728-132-0x0000000000840000-0x000000000096C000-memory.dmp	dcrat
C:\Windows\DiagTrack\Scenarios\dllhost.exe	dcrat
C:\Windows\DiagTrack\Scenarios\dllhost.exe	dcrat
behavioral2/memory/4948-143-0x0000000000500000-0x000000000062C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

4948 dllhost.exe

pid	process
4948	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9sUsHji0MKVo7U2RZ9gX14M.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\DiagTrack\\Scenarios\\dllhost.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\odt\\Registry.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\odt\\Registry.exe\""	9sUsHji0MKVo7U2RZ9gX14M.exe

Drops file in Windows directory 4 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
File opened for modification	C:\Windows\DiagTrack\Scenarios\dllhost.exe	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Windows\DiagTrack\Scenarios\5940a34987c991	9sUsHji0MKVo7U2RZ9gX14M.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCX87E3.tmp	9sUsHji0MKVo7U2RZ9gX14M.exe
File created	C:\Windows\DiagTrack\Scenarios\dllhost.exe	9sUsHji0MKVo7U2RZ9gX14M.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3912	schtasks.exe
4784	schtasks.exe
2628	schtasks.exe
2604	schtasks.exe
4316	schtasks.exe
4408	schtasks.exe
3344	schtasks.exe
2116	schtasks.exe
4936	schtasks.exe

Modifies registry class 1 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 9sUsHji0MKVo7U2RZ9gX14M.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	9sUsHji0MKVo7U2RZ9gX14M.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exedllhost.exe

pid	process
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
2728	9sUsHji0MKVo7U2RZ9gX14M.exe
4948	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.exedllhost.exe

description pid process

Token: SeDebugPrivilege 2728 9sUsHji0MKVo7U2RZ9gX14M.exe
Token: SeDebugPrivilege 4948 dllhost.exe

description	pid	process
Token: SeDebugPrivilege	2728	9sUsHji0MKVo7U2RZ9gX14M.exe
Token: SeDebugPrivilege	4948	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9sUsHji0MKVo7U2RZ9gX14M.execmd.exe

description	pid	process	target process
PID 2728 wrote to memory of 1976	2728	9sUsHji0MKVo7U2RZ9gX14M.exe	cmd.exe
PID 2728 wrote to memory of 1976	2728	9sUsHji0MKVo7U2RZ9gX14M.exe	cmd.exe
PID 1976 wrote to memory of 1532	1976	cmd.exe	w32tm.exe
PID 1976 wrote to memory of 1532	1976	cmd.exe	w32tm.exe
PID 1976 wrote to memory of 4948	1976	cmd.exe	dllhost.exe
PID 1976 wrote to memory of 4948	1976	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\9sUsHji0MKVo7U2RZ9gX14M.exe
"C:\Users\Admin\AppData\Local\Temp\9sUsHji0MKVo7U2RZ9gX14M.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EMwjJ4nZnH.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1532

C:\Windows\DiagTrack\Scenarios\dllhost.exe
"C:\Windows\DiagTrack\Scenarios\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EMwjJ4nZnH.bat

Filesize
207B

MD5
7f05438c327e19ffe779b3030b6c6701

SHA1
b0c6c389d64182af68d3da586e03016de8fb7fe3

SHA256
b01f5739bd3122e46178889f1cbe0383dac144f26d7935024261ae838c79af84

SHA512
d344382a23f9783f44b179a7418762873dafe86b1e0abdd174731fcf2afea6eba44a4074c68dd0b0839d73116fbf7bd9a6ff787aa054c9c35a1d74c27afb70a6

Download Submit
C:\Windows\DiagTrack\Scenarios\dllhost.exe

Filesize
1.1MB

MD5
64793afdd274a4fa81db92b5faf49a51

SHA1
07520686852bc98dcf82651fbf385d69c3d088c6

SHA256
4f652e225ed70ac5fac2f46c60b9c48f274dc22ba31c0f6c19ae14f401e4fe29

SHA512
30a7f8b56add3df18bfdb86353dd1f7aee96a4e2787695efd6052fb3bd2092c4d9762b5eaec617ba87bed42af7c647f737c4ea4d04b56648a04db55902e6e107

Download Submit
C:\Windows\DiagTrack\Scenarios\dllhost.exe

Filesize
1.1MB

MD5
64793afdd274a4fa81db92b5faf49a51

SHA1
07520686852bc98dcf82651fbf385d69c3d088c6

SHA256
4f652e225ed70ac5fac2f46c60b9c48f274dc22ba31c0f6c19ae14f401e4fe29

SHA512
30a7f8b56add3df18bfdb86353dd1f7aee96a4e2787695efd6052fb3bd2092c4d9762b5eaec617ba87bed42af7c647f737c4ea4d04b56648a04db55902e6e107

Download Submit
memory/1532-138-0x0000000000000000-mapping.dmp

Download
memory/1976-136-0x0000000000000000-mapping.dmp

Download
memory/2728-135-0x000000001D060000-0x000000001D588000-memory.dmp

Filesize
5.2MB

Download
memory/2728-132-0x0000000000840000-0x000000000096C000-memory.dmp

Filesize
1.2MB

Download
memory/2728-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-134-0x000000001B460000-0x000000001B4B0000-memory.dmp

Filesize
320KB

Download
memory/2728-133-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-140-0x0000000000000000-mapping.dmp

Download
memory/4948-143-0x0000000000500000-0x000000000062C000-memory.dmp

Filesize
1.2MB

Download
memory/4948-144-0x00007FFA61BC0000-0x00007FFA62681000-memory.dmp

Filesize
10.8MB

Download
memory/4948-145-0x00007FFA61BC0000-0x00007FFA62681000-memory.dmp

Filesize
10.8MB

Download
memory/4948-146-0x00007FFA61BC0000-0x00007FFA62681000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads