dcrat | 38ee5db6247e3637509a731d894af10c97be040b388aac5a87b9b4a0b19a03c3

General

Target

a8327e7f73f4d7a3931072ca1e489d82.exe
Size

1.5MB
MD5

a8327e7f73f4d7a3931072ca1e489d82
SHA1

33fa6a7fa73a790c876582c9f638fc7e71a0f284
SHA256

38ee5db6247e3637509a731d894af10c97be040b388aac5a87b9b4a0b19a03c3
SHA512

d7f1ea19127350fc1f4fce1942342b52c128fec6113b7eceac7491da599a292b63e5c0508b2ef17df02aed853b9e24b2d17cc71342d56f9239df914a56e4dae4
SSDEEP

24576:P2G/nvxW3WV0Boz7PdSo8OhfvG83PxEXY5TZ95f+bYy4HKTtadCK2yseqa+B7:PbA3HBodSo80/GXC9+bl4ewpEe+h

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2932	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\brokerperf\Hypersaves.exe	dcrat
C:\brokerperf\Hypersaves.exe	dcrat
behavioral2/memory/1708-139-0x0000000000840000-0x0000000000976000-memory.dmp	dcrat
C:\odt\dllhost.exe	dcrat
C:\odt\dllhost.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

Hypersaves.exedllhost.exe

pid process

1708 Hypersaves.exe
5028 dllhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8327e7f73f4d7a3931072ca1e489d82.exeWScript.exeHypersaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	a8327e7f73f4d7a3931072ca1e489d82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Hypersaves.exe

Drops file in Program Files directory 4 IoCs

Processes:

Hypersaves.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe	Hypersaves.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\55b276f4edf653	Hypersaves.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe	Hypersaves.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792	Hypersaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
308	schtasks.exe
1852	schtasks.exe
5108	schtasks.exe
3640	schtasks.exe
3608	schtasks.exe
4776	schtasks.exe
208	schtasks.exe
3288	schtasks.exe
4980	schtasks.exe
4800	schtasks.exe
3088	schtasks.exe
1388	schtasks.exe
4516	schtasks.exe
4840	schtasks.exe
4976	schtasks.exe

Modifies registry class 2 IoCs

Processes:

a8327e7f73f4d7a3931072ca1e489d82.exeHypersaves.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	a8327e7f73f4d7a3931072ca1e489d82.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	Hypersaves.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Hypersaves.exedllhost.exe

pid	process
1708	Hypersaves.exe
1708	Hypersaves.exe
1708	Hypersaves.exe
1708	Hypersaves.exe
1708	Hypersaves.exe
1708	Hypersaves.exe
1708	Hypersaves.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe
5028	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

5028 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Hypersaves.exedllhost.exe

description pid process

Token: SeDebugPrivilege 1708 Hypersaves.exe
Token: SeDebugPrivilege 5028 dllhost.exe

pid	process
5028	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	1708	Hypersaves.exe
Token: SeDebugPrivilege	5028	dllhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a8327e7f73f4d7a3931072ca1e489d82.exeWScript.execmd.exeHypersaves.execmd.exe

description	pid	process	target process
PID 376 wrote to memory of 4312	376	a8327e7f73f4d7a3931072ca1e489d82.exe	WScript.exe
PID 376 wrote to memory of 4312	376	a8327e7f73f4d7a3931072ca1e489d82.exe	WScript.exe
PID 376 wrote to memory of 4312	376	a8327e7f73f4d7a3931072ca1e489d82.exe	WScript.exe
PID 4312 wrote to memory of 1952	4312	WScript.exe	cmd.exe
PID 4312 wrote to memory of 1952	4312	WScript.exe	cmd.exe
PID 4312 wrote to memory of 1952	4312	WScript.exe	cmd.exe
PID 1952 wrote to memory of 1708	1952	cmd.exe	Hypersaves.exe
PID 1952 wrote to memory of 1708	1952	cmd.exe	Hypersaves.exe
PID 1708 wrote to memory of 1312	1708	Hypersaves.exe	cmd.exe
PID 1708 wrote to memory of 1312	1708	Hypersaves.exe	cmd.exe
PID 1312 wrote to memory of 2284	1312	cmd.exe	w32tm.exe
PID 1312 wrote to memory of 2284	1312	cmd.exe	w32tm.exe
PID 1312 wrote to memory of 5028	1312	cmd.exe	dllhost.exe
PID 1312 wrote to memory of 5028	1312	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\a8327e7f73f4d7a3931072ca1e489d82.exe
"C:\Users\Admin\AppData\Local\Temp\a8327e7f73f4d7a3931072ca1e489d82.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\brokerperf\yzbbss9f6DVhZcZfA4yi.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\brokerperf\05no77bTSSxqXTtNATW8hKup6yLON.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\brokerperf\Hypersaves.exe
"C:\brokerperf\Hypersaves.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5LnsTu22OR.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2284

C:\odt\dllhost.exe
"C:\odt\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5LnsTu22OR.bat
Filesize
183B

MD5
6ebbe00319e29874452d2b739838f699

SHA1
9855f0ba5a30302443d922822b5b0b816631c28d

SHA256
ac3c179826e65a87b6629a139370b888b4d4d9aeae13403a545c436f9ef9d9b1

SHA512
44527e06014d4cf20a3f9091c988b7d90a94d524edc8b321b10f5b7237e1fd836d2aa11d1fa7cfaf78f48892c2251d9df23c0c4c435441075eb68366544447d2

Download Submit
C:\brokerperf\05no77bTSSxqXTtNATW8hKup6yLON.bat
Filesize
30B

MD5
40887cda573d24c154df9f6ecc8508b7

SHA1
2991ac00d79b896c1433fa0edba4b176a75738a4

SHA256
fa50577412b6e089d86ea596b6838c2d9ee37c73c70815e546e71d759cd07b7e

SHA512
593c9184332faedbc70a3152ee264850d5b0c39b7e080edf9bad9530fbb031964bede11e05617168c1ec9291c68c190db645215484f15f39d535c7d7fbcb77b7

Download Submit
C:\brokerperf\Hypersaves.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
C:\brokerperf\Hypersaves.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
C:\brokerperf\yzbbss9f6DVhZcZfA4yi.vbe
Filesize
216B

MD5
e7db9f8708a135db0bb83dafb0f9256b

SHA1
fee4cc69a17f2633ead4ff37798d3dfdaba83081

SHA256
2bbc8edaf231e644b254b41338ef3dd019bbbac117c0b204907d8274ea2dded9

SHA512
09c201f43cd84008787c657810ec31936827026a6a05bc8ed502b0cb6cb850c81d60a712f98d8bbb7f921b4d2c686a007e456ca7b7455f4924537373ff90b83d

Download Submit
C:\odt\dllhost.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
C:\odt\dllhost.exe
Filesize
1.2MB

MD5
b313d25c0fed1c6069e6a72e73a5751f

SHA1
1717db41053d68f4b6cb0619eaee7d7617a6ebc9

SHA256
01e2946bab81b880ec494a1692a791ced92624246e6aed7a15c725851ede71dd

SHA512
6807bc163b386f0398a7195f83f7b0619d912724582780ace94d0cd115c2f192a90536f9950cf61c9f18d7df0da58ea9116a22544ff9f3a5489e6c2398d975d3

Download Submit
memory/1312-142-0x0000000000000000-mapping.dmp

Download
memory/1708-140-0x000000001B560000-0x000000001B5B0000-memory.dmp

Filesize
320KB

Download
memory/1708-141-0x00007FFDA4430000-0x00007FFDA4EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1708-139-0x0000000000840000-0x0000000000976000-memory.dmp

Filesize
1.2MB

Download
memory/1708-145-0x00007FFDA4430000-0x00007FFDA4EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1708-136-0x0000000000000000-mapping.dmp

Download
memory/1952-135-0x0000000000000000-mapping.dmp

Download
memory/2284-144-0x0000000000000000-mapping.dmp

Download
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/5028-146-0x0000000000000000-mapping.dmp

Download
memory/5028-149-0x00007FFDA4000000-0x00007FFDA4AC1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-150-0x00007FFDA4000000-0x00007FFDA4AC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads