dcrat | 417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca

General

Target

417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
Size

433KB
MD5

2e421d1efddf596ee6487321df0ae484
SHA1

38cdf0bd60efdb86c0ea363cfb3c5fbd2ddf997b
SHA256

417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca
SHA512

72a642acfccfc83f84ab7723c9e5f31c678233d8959c11a8afcdc8a1f8e98940d33865a77ea93a4ec477bb068a9310b8d427e14f6078668d5ad578acdf65b247
SSDEEP

12288:0Qnk3GDYKGcblwtX+t4Y8vd9CaOUG5Y+mh:IAOcZwXYO2J5zE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\perfinto\crtwin.exe	dcrat
C:\perfinto\crtwin.exe	dcrat
C:\perfinto\crtwin.exe	dcrat
behavioral1/memory/1380-64-0x00000000000F0000-0x0000000000150000-memory.dmp	dcrat
C:\Windows\debug\WIA\csrss.exe	dcrat
C:\Windows\debug\WIA\csrss.exe	dcrat
behavioral1/memory/992-73-0x00000000008D0000-0x0000000000930000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

crtwin.execsrss.exe

pid process

1380 crtwin.exe
992 csrss.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe

pid	process
1380	crtwin.exe
992	csrss.exe

pid	process
1348	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

crtwin.exe

description	ioc	process
File created	C:\Windows\debug\WIA\csrss.exe	crtwin.exe
File created	C:\Windows\debug\WIA\886983d96e3d3e31032c679b2d4ea91b6c05afef	crtwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1848 schtasks.exe
896 schtasks.exe
568 schtasks.exe
836 schtasks.exe
1732 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

crtwin.execsrss.exe

pid process

1380 crtwin.exe
992 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

crtwin.execsrss.exe

description pid process

Token: SeDebugPrivilege 1380 crtwin.exe
Token: SeDebugPrivilege 992 csrss.exe

pid	process
1848	schtasks.exe
896	schtasks.exe
568	schtasks.exe
836	schtasks.exe
1732	schtasks.exe

pid	process
1380	crtwin.exe
992	csrss.exe

description	pid	process
Token: SeDebugPrivilege	1380	crtwin.exe
Token: SeDebugPrivilege	992	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exeWScript.execmd.execrtwin.exe

description	pid	process	target process
PID 1664 wrote to memory of 1972	1664	417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe	WScript.exe
PID 1664 wrote to memory of 1972	1664	417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe	WScript.exe
PID 1664 wrote to memory of 1972	1664	417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe	WScript.exe
PID 1664 wrote to memory of 1972	1664	417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe	WScript.exe
PID 1972 wrote to memory of 1348	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1348	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1348	1972	WScript.exe	cmd.exe
PID 1972 wrote to memory of 1348	1972	WScript.exe	cmd.exe
PID 1348 wrote to memory of 1380	1348	cmd.exe	crtwin.exe
PID 1348 wrote to memory of 1380	1348	cmd.exe	crtwin.exe
PID 1348 wrote to memory of 1380	1348	cmd.exe	crtwin.exe
PID 1348 wrote to memory of 1380	1348	cmd.exe	crtwin.exe
PID 1380 wrote to memory of 836	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 836	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 836	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1732	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1732	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1732	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1848	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1848	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 1848	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 896	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 896	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 896	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 568	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 568	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 568	1380	crtwin.exe	schtasks.exe
PID 1380 wrote to memory of 992	1380	crtwin.exe	csrss.exe
PID 1380 wrote to memory of 992	1380	crtwin.exe	csrss.exe
PID 1380 wrote to memory of 992	1380	crtwin.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe
"C:\Users\Admin\AppData\Local\Temp\417676e1e60786a52ff2df2e95b0efa8a77b35bf4e9a78fd033086a6e7db55ca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\perfinto\crtwin.exe
"C:\perfinto\crtwin.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\perfinto\System.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\conhost.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:568

C:\Windows\debug\WIA\csrss.exe
"C:\Windows\debug\WIA\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\WIA\csrss.exe
Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\Windows\debug\WIA\csrss.exe
Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\perfinto\ERovcdbkxlUoLK71txXW3cA964JSkD.bat
Filesize
24B

MD5
56e3a5d60991108ba8d984f67c27d59d

SHA1
f0ca46ab72e8f9237660ee112d9077abe59dc71d

SHA256
9be93ab4ea35cccd861162176e9e1cb49f753ff071f44bc8531885cf7b5171db

SHA512
dfcb1b4742d0daa4c8b0de16249d7d44e7dc5f4d0befa696915846f1bbd0c145888b9db32cd4d07ca6e7b7974aec6b4125af759663065eeff8baf643248eb061

Download Submit
C:\perfinto\crtwin.exe
Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\perfinto\crtwin.exe
Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\perfinto\i48JYD4oJA0cMfil2yKzMD37Ydu3jL.vbe
Filesize
220B

MD5
224d54950cf34464d6cf812c3d6ac98b

SHA1
2861f8019ec27a520c0751cbe196e7d19e1e93a8

SHA256
9890d7cd354a1444ca02970c09721238ff6223c305f8819cd2219bf8724627b2

SHA512
ff8b1dff61f8dd8c68a57b5b43a3a4a5156fe5dd0704e9264e0fb71e6da5a4d3bbd114881a58ebc79d4e06d24abf21a42e027ee9a4824fb378e0299579a4b73f

Download Submit
\perfinto\crtwin.exe
Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
memory/568-69-0x0000000000000000-mapping.dmp

Download
memory/836-65-0x0000000000000000-mapping.dmp

Download
memory/896-68-0x0000000000000000-mapping.dmp

Download
memory/992-73-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/992-70-0x0000000000000000-mapping.dmp

Download
memory/1348-59-0x0000000000000000-mapping.dmp

Download
memory/1380-64-0x00000000000F0000-0x0000000000150000-memory.dmp

Filesize
384KB

Download
memory/1380-61-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1732-66-0x0000000000000000-mapping.dmp

Download
memory/1848-67-0x0000000000000000-mapping.dmp

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads