dcrat | d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

General

Target

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Size

365KB
MD5

1a67c22d93c15bdc6333358e2cdd29e7
SHA1

4b1824a168c97e13006fcc9b823f81d12cde9eca
SHA256

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22
SHA512

5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c
SSDEEP

6144:Mhg8RILtEndj8KoOnBCuHzNII/JeM5k7IBe5oXWM6BPuqqDL:MpndjJIuII/J5k7IBe506BTqn

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/884-54-0x0000000001060000-0x00000000010C4000-memory.dmp	dcrat
C:\ProgramData\Microsoft Help\sppsvc.exe	dcrat
C:\ProgramData\Microsoft Help\sppsvc.exe	dcrat
behavioral1/memory/1880-62-0x0000000000310000-0x0000000000374000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

1880 sppsvc.exe

pid	process
1880	sppsvc.exe

Drops file in Program Files directory 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1932 schtasks.exe
268 schtasks.exe
468 schtasks.exe
1364 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exesppsvc.exe

pid process

884 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
1880 sppsvc.exe

pid	process
1932	schtasks.exe
268	schtasks.exe
468	schtasks.exe
1364	schtasks.exe

pid	process
884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
1880	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Token: SeDebugPrivilege	1880	sppsvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	pid	process	target process
PID 884 wrote to memory of 1364	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1364	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1364	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1932	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1932	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1932	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 268	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 268	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 268	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 468	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 468	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 468	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 884 wrote to memory of 1880	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	sppsvc.exe
PID 884 wrote to memory of 1880	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	sppsvc.exe
PID 884 wrote to memory of 1880	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	sppsvc.exe
PID 884 wrote to memory of 1880	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	sppsvc.exe
PID 884 wrote to memory of 1880	884	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
"C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22" /sc ONLOGON /tr "'C:\Documents and Settings\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\sppsvc.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:468

C:\ProgramData\Microsoft Help\sppsvc.exe
"C:\ProgramData\Microsoft Help\sppsvc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\sppsvc.exe
Filesize
365KB

MD5
1a67c22d93c15bdc6333358e2cdd29e7

SHA1
4b1824a168c97e13006fcc9b823f81d12cde9eca

SHA256
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

SHA512
5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c

Download Submit
C:\ProgramData\Microsoft Help\sppsvc.exe
Filesize
365KB

MD5
1a67c22d93c15bdc6333358e2cdd29e7

SHA1
4b1824a168c97e13006fcc9b823f81d12cde9eca

SHA256
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

SHA512
5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/468-58-0x0000000000000000-mapping.dmp

Download
memory/884-54-0x0000000001060000-0x00000000010C4000-memory.dmp

Filesize
400KB

Download
memory/1364-55-0x0000000000000000-mapping.dmp

Download
memory/1880-59-0x0000000000000000-mapping.dmp

Download
memory/1880-62-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads