dcrat | d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

General

Target

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Size

365KB
MD5

1a67c22d93c15bdc6333358e2cdd29e7
SHA1

4b1824a168c97e13006fcc9b823f81d12cde9eca
SHA256

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22
SHA512

5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c
SSDEEP

6144:Mhg8RILtEndj8KoOnBCuHzNII/JeM5k7IBe5oXWM6BPuqqDL:MpndjJIuII/J5k7IBe506BTqn

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2424-132-0x0000022B2F0C0000-0x0000022B2F124000-memory.dmp	dcrat
C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	dcrat
C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

pid process

3092 d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

pid	process
3092	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Documents\\My Videos\\dllhost.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Idle.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22 = "\"C:\\Program Files\\Windows Mail\\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe\""	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Drops file in Program Files directory 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
File created	C:\Program Files\Windows Mail\6281f3f12af9c4c62e604a8a2ca2dead7e63e89b	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1368 schtasks.exe
1900 schtasks.exe
3620 schtasks.exe
1704 schtasks.exe
3200 schtasks.exe
5080 schtasks.exe
4656 schtasks.exe

pid	process
1368	schtasks.exe
1900	schtasks.exe
3620	schtasks.exe
1704	schtasks.exe
3200	schtasks.exe
5080	schtasks.exe
4656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exed30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

pid	process
2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
3092	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exed30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	pid	process
Token: SeDebugPrivilege	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Token: SeDebugPrivilege	3092	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

description	pid	process	target process
PID 2424 wrote to memory of 1704	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 1704	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 3200	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 3200	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 5080	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 5080	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 4656	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 4656	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 1368	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 1368	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 1900	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 1900	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 3620	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 3620	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	schtasks.exe
PID 2424 wrote to memory of 3092	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
PID 2424 wrote to memory of 3092	2424	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe	d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe

C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
"C:\Users\Admin\AppData\Local\Temp\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3200

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3620

C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
"C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Filesize
365KB

MD5
1a67c22d93c15bdc6333358e2cdd29e7

SHA1
4b1824a168c97e13006fcc9b823f81d12cde9eca

SHA256
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

SHA512
5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c

Download Submit
C:\Program Files\Windows Mail\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe
Filesize
365KB

MD5
1a67c22d93c15bdc6333358e2cdd29e7

SHA1
4b1824a168c97e13006fcc9b823f81d12cde9eca

SHA256
d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22

SHA512
5bc1daf91b4a52b0f5e26d4c4f5ff4396e4fe090c6f383345487893bfb3a04ba424441a4f59d74ea0801e99f4a9b794d568caab967178dab1ce9738b9034143c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d30d5939d105337a5c6f56e3a97fc0cf92cf782775d0f2bae317cf5c4562eb22.exe.log
Filesize
1KB

MD5
e8d8201859f0733371b04a69e90297ae

SHA1
8222cd86cf6633bdab806efb6cd8f336e2d0187b

SHA256
7f70c61beb86a5573a1c9f37136d60aa88ab65f11bd94e5303c4e2e8d11f8f9f

SHA512
63ba5c2778f02f62a2570d35ec6eb002c94093b94098315ac991b3c70a9d14ba8f3904067cf737df32a3f2e1924b29d7f722613024c2fdb11cf63d46b1bdb627

Download Submit
memory/1368-139-0x0000000000000000-mapping.dmp

Download
memory/1704-135-0x0000000000000000-mapping.dmp

Download
memory/1900-140-0x0000000000000000-mapping.dmp

Download
memory/2424-132-0x0000022B2F0C0000-0x0000022B2F124000-memory.dmp

Filesize
400KB

Download
memory/2424-134-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/2424-133-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/2424-146-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/3092-142-0x0000000000000000-mapping.dmp

Download
memory/3092-147-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/3092-148-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/3092-149-0x00007FFB7FA60000-0x00007FFB80521000-memory.dmp

Filesize
10.8MB

Download
memory/3200-136-0x0000000000000000-mapping.dmp

Download
memory/3620-141-0x0000000000000000-mapping.dmp

Download
memory/4656-138-0x0000000000000000-mapping.dmp

Download
memory/5080-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads