dcrat | c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

General

Target

ae23ccbd31f96a4051015724d155f40e.exe
Size

828KB
MD5

ae23ccbd31f96a4051015724d155f40e
SHA1

799439e532b69c36f2e1fb5346ae7f93510c9594
SHA256

c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69
SHA512

61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8
SSDEEP

12288:23SruAQLbAfu30JfjobsOk4VJ4eCeIPrHyw735Mg2Ob/B:gcuA8bA/JfjoLkO4ea15F2OTB

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3028	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1948-132-0x0000000000430000-0x0000000000506000-memory.dmp	dcrat
C:\Recovery\WindowsRE\winlogon.exe	dcrat
C:\Recovery\WindowsRE\winlogon.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

4484 winlogon.exe

pid	process
4484	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ae23ccbd31f96a4051015724d155f40e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ae23ccbd31f96a4051015724d155f40e.exe

Drops file in Program Files directory 5 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\SppExtComObj.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Program Files\Microsoft Office 15\e1ef82546f0b02	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	ae23ccbd31f96a4051015724d155f40e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	ae23ccbd31f96a4051015724d155f40e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	ae23ccbd31f96a4051015724d155f40e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4840	schtasks.exe
1048	schtasks.exe
3392	schtasks.exe
3552	schtasks.exe
4788	schtasks.exe
1152	schtasks.exe
4976	schtasks.exe
4868	schtasks.exe
1908	schtasks.exe
4912	schtasks.exe
4856	schtasks.exe
3756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exewinlogon.exe

pid	process
1948	ae23ccbd31f96a4051015724d155f40e.exe
1948	ae23ccbd31f96a4051015724d155f40e.exe
1948	ae23ccbd31f96a4051015724d155f40e.exe
1948	ae23ccbd31f96a4051015724d155f40e.exe
1948	ae23ccbd31f96a4051015724d155f40e.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe
4484	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 1948 ae23ccbd31f96a4051015724d155f40e.exe
Token: SeDebugPrivilege 4484 winlogon.exe

description	pid	process
Token: SeDebugPrivilege	1948	ae23ccbd31f96a4051015724d155f40e.exe
Token: SeDebugPrivilege	4484	winlogon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ae23ccbd31f96a4051015724d155f40e.exe

description	pid	process	target process
PID 1948 wrote to memory of 4484	1948	ae23ccbd31f96a4051015724d155f40e.exe	winlogon.exe
PID 1948 wrote to memory of 4484	1948	ae23ccbd31f96a4051015724d155f40e.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe
"C:\Users\Admin\AppData\Local\Temp\ae23ccbd31f96a4051015724d155f40e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\winlogon.exe
Filesize
828KB

MD5
ae23ccbd31f96a4051015724d155f40e

SHA1
799439e532b69c36f2e1fb5346ae7f93510c9594

SHA256
c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

SHA512
61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8

Download Submit
C:\Recovery\WindowsRE\winlogon.exe
Filesize
828KB

MD5
ae23ccbd31f96a4051015724d155f40e

SHA1
799439e532b69c36f2e1fb5346ae7f93510c9594

SHA256
c68a49ebcf23549fd40879c7e7d95737effd1c3d704689dbe1bba4959dcbbd69

SHA512
61f683a97b8bc1550af40253e2c2e42d8edf4a5c06afb3f5dcc9216ab10c16550f9647ac6dbc85c1f5b3b7b8ab860090ccd6b92b8f41905264b079baf3ae16f8

Download Submit
memory/1948-132-0x0000000000430000-0x0000000000506000-memory.dmp

Filesize
856KB

Download
memory/1948-133-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1948-137-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4484-134-0x0000000000000000-mapping.dmp

Download
memory/4484-138-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4484-139-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads