dcrat | 40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

General

Target

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
Size

356KB
MD5

922a77e55160186e8d3558c88f45f0fd
SHA1

97981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA256

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA512

04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
SSDEEP

6144:/Csr2b54tGixuPmxbHTcv0C3bqqDLpiWb7BNy2AlVbg:/9tGixvYiqnpd/u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/844-54-0x0000000001060000-0x00000000010C0000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe	dcrat
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe	dcrat
behavioral1/memory/552-63-0x0000000001090000-0x00000000010F0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

System.exe

pid process

552 System.exe

pid	process
552	System.exe

Drops file in Program Files directory 2 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Purble Place\services.exe	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
File created	C:\Program Files\Microsoft Games\Purble Place\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2032 schtasks.exe
1404 schtasks.exe
1696 schtasks.exe
1824 schtasks.exe
1632 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exeSystem.exe

pid process

844 40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
552 System.exe

pid	process
2032	schtasks.exe
1404	schtasks.exe
1696	schtasks.exe
1824	schtasks.exe
1632	schtasks.exe

pid	process
844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
552	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
Token: SeDebugPrivilege	552	System.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

description	pid	process	target process
PID 844 wrote to memory of 2032	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 2032	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 2032	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1404	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1404	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1404	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1696	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1696	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1696	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1824	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1824	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1824	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1632	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1632	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 1632	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 844 wrote to memory of 552	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	System.exe
PID 844 wrote to memory of 552	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	System.exe
PID 844 wrote to memory of 552	844	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
"C:\Users\Admin\AppData\Local\Temp\40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\dwm.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\services.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1632

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe

Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe

Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
memory/552-60-0x0000000000000000-mapping.dmp

Download
memory/552-63-0x0000000001090000-0x00000000010F0000-memory.dmp

Filesize
384KB

Download
memory/844-54-0x0000000001060000-0x00000000010C0000-memory.dmp

Filesize
384KB

Download
memory/1404-56-0x0000000000000000-mapping.dmp

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1696-57-0x0000000000000000-mapping.dmp

Download
memory/1824-58-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads