dcrat | c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

General

Target

ae23ccbd31f96a4051015724d155f40e.exe
Size

828KB
MD5

ae23ccbd31f96a4051015724d155f40e
SHA1

799439e532b69c36f2e1fb5346ae7f93510c9594
SHA256

c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69
SHA512

61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8
SSDEEP

12288:23SruAQLbAfu30JfjobsOk4VJ4eCeIPrHyw735Mg2Ob/B:gcuA8bA/JfjoLkO4ea15F2OTB

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1500	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1376-54-0x00000000003C0000-0x0000000000496000-memory.dmp	dcrat
C:\Users\All Users\Templates\taskhost.exe	dcrat
C:\ProgramData\Microsoft\Windows\Templates\taskhost.exe	dcrat
behavioral1/memory/596-61-0x0000000001370000-0x0000000001446000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

596 taskhost.exe

pid	process
596	taskhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\smss.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Program Files\Windows NT\TableTextService\69ddcba757bf72	ae23ccbd31f96a4051015724d155f40e.exe

Drops file in Windows directory 4 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exe

description	ioc	process
File created	C:\Windows\Boot\sppsvc.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directshow-devenum_31bf3856ad364e35_6.1.7600.16385_none_5914022fa13f06ca\csrss.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Windows\Performance\WinSAT\DataStore\ae23ccbd31f96a4051015724d155f40e.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Windows\Performance\WinSAT\DataStore\dd3814c24b6308	ae23ccbd31f96a4051015724d155f40e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1484	schtasks.exe
1592	schtasks.exe
1672	schtasks.exe
1424	schtasks.exe
1208	schtasks.exe
1848	schtasks.exe
1464	schtasks.exe
1520	schtasks.exe
796	schtasks.exe
880	schtasks.exe
1768	schtasks.exe
1704	schtasks.exe
1692	schtasks.exe
1748	schtasks.exe
1084	schtasks.exe
536	schtasks.exe
436	schtasks.exe
1640	schtasks.exe
820	schtasks.exe
1532	schtasks.exe
568	schtasks.exe
1392	schtasks.exe
1016	schtasks.exe
1908	schtasks.exe
1108	schtasks.exe
1448	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exetaskhost.exe

pid	process
1376	ae23ccbd31f96a4051015724d155f40e.exe
1376	ae23ccbd31f96a4051015724d155f40e.exe
1376	ae23ccbd31f96a4051015724d155f40e.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe
596	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exetaskhost.exe

description pid process

Token: SeDebugPrivilege 1376 ae23ccbd31f96a4051015724d155f40e.exe
Token: SeDebugPrivilege 596 taskhost.exe

description	pid	process
Token: SeDebugPrivilege	1376	ae23ccbd31f96a4051015724d155f40e.exe
Token: SeDebugPrivilege	596	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.execmd.exe

description	pid	process	target process
PID 1376 wrote to memory of 1724	1376	ae23ccbd31f96a4051015724d155f40e.exe	cmd.exe
PID 1376 wrote to memory of 1724	1376	ae23ccbd31f96a4051015724d155f40e.exe	cmd.exe
PID 1376 wrote to memory of 1724	1376	ae23ccbd31f96a4051015724d155f40e.exe	cmd.exe
PID 1724 wrote to memory of 1676	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 1676	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 1676	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 596	1724	cmd.exe	taskhost.exe
PID 1724 wrote to memory of 596	1724	cmd.exe	taskhost.exe
PID 1724 wrote to memory of 596	1724	cmd.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe
"C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gd1SwjKz4F.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1676

C:\Users\All Users\Templates\taskhost.exe
"C:\Users\All Users\Templates\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ae23ccbd31f96a4051015724d155f40ea" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\ae23ccbd31f96a4051015724d155f40e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ae23ccbd31f96a4051015724d155f40e" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\ae23ccbd31f96a4051015724d155f40e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ae23ccbd31f96a4051015724d155f40ea" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\ae23ccbd31f96a4051015724d155f40e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\taskhost.exe
Filesize
828KB

MD5
ae23ccbd31f96a4051015724d155f40e

SHA1
799439e532b69c36f2e1fb5346ae7f93510c9594

SHA256
c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

SHA512
61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gd1SwjKz4F.bat
Filesize
206B

MD5
0b28d71f938838cf994693e26473d3a0

SHA1
b692f8e37246a28f4d5cba1fbd29655567a39383

SHA256
6996424c59b6c50a5f9cfb4f11cf9ba7ebbafe85a7dcc27ffe95871884caf766

SHA512
50bd8752fb5fd0ae530ad27e6c6640a91c84c03ccd24f18076b959f87a610facd4b02bea0d8c4ff2524674e81bd8ffaea856742b8c23a6b240d77ab328ef84d1

Download Submit
C:\Users\All Users\Templates\taskhost.exe
Filesize
828KB

MD5
ae23ccbd31f96a4051015724d155f40e

SHA1
799439e532b69c36f2e1fb5346ae7f93510c9594

SHA256
c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

SHA512
61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8

Download Submit
memory/596-59-0x0000000000000000-mapping.dmp

Download
memory/596-61-0x0000000001370000-0x0000000001446000-memory.dmp

Filesize
856KB

Download
memory/1376-54-0x00000000003C0000-0x0000000000496000-memory.dmp

Filesize
856KB

Download
memory/1676-57-0x0000000000000000-mapping.dmp

Download
memory/1724-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads