dcrat | c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49

General

Target

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
Size

1.1MB
MD5

069709b291d870ca58a522119b531abd
SHA1

24de6a89fab7d1ac294a4a90574e57fd8ad5b4b9
SHA256

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49
SHA512

d1cbf48ee3005b5cd9245fa604f761f6dc2b2618e9ed091532cb4a0b39fe34ec505edec75935ae3a842bd15c9185e9593be0f78d779c61c38c7d9662d2930806
SSDEEP

24576:fndjUOThRAjCjVBKYHtWBPeeGEP8Z8B+:vXNW8R8A

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1340-54-0x0000000000EB0000-0x0000000000FD6000-memory.dmp	dcrat
C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe	dcrat
C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe	dcrat
behavioral1/memory/1976-64-0x0000000000200000-0x0000000000326000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1976 csrss.exe

pid	process
1976	csrss.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\""	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\smss.exe\""	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

Drops file in Program Files directory 2 IoCs

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72f7d36c464c71f42baab150b2b9	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

Drops file in Windows directory 2 IoCs

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

description	ioc	process
File created	C:\Windows\Web\Wallpaper\explorer.exe	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
File created	C:\Windows\Web\Wallpaper\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1684 schtasks.exe
592 schtasks.exe
544 schtasks.exe
1708 schtasks.exe
520 schtasks.exe
1772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.execsrss.exe

pid process

1340 c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
1976 csrss.exe

pid	process
1684	schtasks.exe
592	schtasks.exe
544	schtasks.exe
1708	schtasks.exe
520	schtasks.exe
1772	schtasks.exe

pid	process
1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
1976	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
Token: SeDebugPrivilege	1976	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe

description	pid	process	target process
PID 1340 wrote to memory of 520	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 520	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 520	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1772	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1772	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1772	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1684	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1684	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1684	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 592	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 592	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 592	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 544	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 544	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 544	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1708	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1708	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1708	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	schtasks.exe
PID 1340 wrote to memory of 1976	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	csrss.exe
PID 1340 wrote to memory of 1976	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	csrss.exe
PID 1340 wrote to memory of 1976	1340	c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe
"C:\Users\Admin\AppData\Local\Temp\c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1708

C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe
"C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe
Filesize
1.1MB

MD5
069709b291d870ca58a522119b531abd

SHA1
24de6a89fab7d1ac294a4a90574e57fd8ad5b4b9

SHA256
c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49

SHA512
d1cbf48ee3005b5cd9245fa604f761f6dc2b2618e9ed091532cb4a0b39fe34ec505edec75935ae3a842bd15c9185e9593be0f78d779c61c38c7d9662d2930806

Download Submit
C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe
Filesize
1.1MB

MD5
069709b291d870ca58a522119b531abd

SHA1
24de6a89fab7d1ac294a4a90574e57fd8ad5b4b9

SHA256
c26e3a4c520567bfbcbf4e2312932b720822208b84f73e86645748cdb25a0b49

SHA512
d1cbf48ee3005b5cd9245fa604f761f6dc2b2618e9ed091532cb4a0b39fe34ec505edec75935ae3a842bd15c9185e9593be0f78d779c61c38c7d9662d2930806

Download Submit
memory/520-55-0x0000000000000000-mapping.dmp

Download
memory/544-59-0x0000000000000000-mapping.dmp

Download
memory/592-58-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x0000000000EB0000-0x0000000000FD6000-memory.dmp

Filesize
1.1MB

Download
memory/1684-57-0x0000000000000000-mapping.dmp

Download
memory/1708-60-0x0000000000000000-mapping.dmp

Download
memory/1772-56-0x0000000000000000-mapping.dmp

Download
memory/1976-61-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x0000000000200000-0x0000000000326000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads