dcrat | 40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

General

Target

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
Size

356KB
MD5

922a77e55160186e8d3558c88f45f0fd
SHA1

97981a4019c4c0f8aae6ddc20aeae64bf1927718
SHA256

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c
SHA512

04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38
SSDEEP

6144:/Csr2b54tGixuPmxbHTcv0C3bqqDLpiWb7BNy2AlVbg:/9tGixvYiqnpd/u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5080-132-0x000001FA1BD50000-0x000001FA1BDB0000-memory.dmp	dcrat
C:\Users\Public\Desktop\RuntimeBroker.exe	dcrat
C:\ProgramData\Desktop\RuntimeBroker.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4796 RuntimeBroker.exe

pid	process
4796	RuntimeBroker.exe

Drops file in Program Files directory 3 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3984 schtasks.exe
1188 schtasks.exe
3056 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exeRuntimeBroker.exe

pid process

5080 40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
4796 RuntimeBroker.exe

pid	process
3984	schtasks.exe
1188	schtasks.exe
3056	schtasks.exe

pid	process
5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
4796	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
Token: SeDebugPrivilege	4796	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe

description	pid	process	target process
PID 5080 wrote to memory of 3984	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 3984	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 1188	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 1188	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 3056	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 3056	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	schtasks.exe
PID 5080 wrote to memory of 4796	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	RuntimeBroker.exe
PID 5080 wrote to memory of 4796	5080	40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe
"C:\Users\Admin\AppData\Local\Temp\40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3984

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1188

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3056

C:\ProgramData\Desktop\RuntimeBroker.exe
"C:\ProgramData\Desktop\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Desktop\RuntimeBroker.exe

Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
C:\Users\Public\Desktop\RuntimeBroker.exe

Filesize
356KB

MD5
922a77e55160186e8d3558c88f45f0fd

SHA1
97981a4019c4c0f8aae6ddc20aeae64bf1927718

SHA256
40a1f82ba46ac86ff0b663d8b0d48e2fe6a55cb8e29b0baecab526279c1fcc5c

SHA512
04aeb1f8d8ba0f6cd0b905a981988b3005cc69da7ec659465c4972df5b2916e963529444d9819ee26a47c6f18db428e44c1972c9ad22b6747871f7c9ecc9fd38

Download Submit
memory/1188-135-0x0000000000000000-mapping.dmp

Download
memory/3056-136-0x0000000000000000-mapping.dmp

Download
memory/3984-134-0x0000000000000000-mapping.dmp

Download
memory/4796-137-0x0000000000000000-mapping.dmp

Download
memory/4796-141-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4796-142-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/5080-132-0x000001FA1BD50000-0x000001FA1BDB0000-memory.dmp

Filesize
384KB

Download
memory/5080-133-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/5080-140-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads