dcrat | 1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
Size

568KB
MD5

964c865ff8000d828844c15a893b6a01
SHA1

f515cc005445d2090319a8345154bcf59f3824a1
SHA256

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
SHA512

230b0924c9fcdf67d03ce8b229d042286a2c99117f472691c3b7691bc34d4519825346ae1a279ea498c728c66e8240e4c4f20bceed40028036468ae1a926f66c
SSDEEP

12288:9Qnk3GDYKGcbloTn85eZV8D5ubjObv+hq6arF+6dS:HAOcZEnOeZ+k++q6arFTQ

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\drivermonitor\perfmonitor.exe	dcrat
\drivermonitor\perfmonitor.exe	dcrat
C:\drivermonitor\perfmonitor.exe	dcrat
behavioral1/memory/1800-74-0x0000000000160000-0x00000000001D4000-memory.dmp	dcrat
C:\Users\Public\Desktop\lsass.exe	dcrat
behavioral1/memory/112-85-0x0000000000A60000-0x0000000000AD4000-memory.dmp	dcrat
C:\ProgramData\Desktop\lsass.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

iO6BC8dEqKOXouWDXhji.exeperfmonitor.exelsass.exe

pid process

560 iO6BC8dEqKOXouWDXhji.exe
1800 perfmonitor.exe
112 lsass.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

2040 cmd.exe
888 cmd.exe

pid	process
560	iO6BC8dEqKOXouWDXhji.exe
1800	perfmonitor.exe
112	lsass.exe

pid	process
2040	cmd.exe
888	cmd.exe

Drops file in Program Files directory 3 IoCs

Processes:

perfmonitor.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\lsass.exe	perfmonitor.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	perfmonitor.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\lsass.exe	perfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1424 schtasks.exe
1552 schtasks.exe
1872 schtasks.exe
1360 schtasks.exe
1804 schtasks.exe
896 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1808 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

perfmonitor.exelsass.exe

pid process

1800 perfmonitor.exe
112 lsass.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

perfmonitor.exelsass.exe

description pid process

Token: SeDebugPrivilege 1800 perfmonitor.exe
Token: SeDebugPrivilege 112 lsass.exe

pid	process
1424	schtasks.exe
1552	schtasks.exe
1872	schtasks.exe
1360	schtasks.exe
1804	schtasks.exe
896	schtasks.exe

pid	process
1808	reg.exe

pid	process
1800	perfmonitor.exe
112	lsass.exe

description	pid	process
Token: SeDebugPrivilege	1800	perfmonitor.exe
Token: SeDebugPrivilege	112	lsass.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exeWScript.execmd.exeiO6BC8dEqKOXouWDXhji.exeWScript.execmd.exeperfmonitor.exe

description	pid	process	target process
PID 1304 wrote to memory of 2036	1304	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 1304 wrote to memory of 2036	1304	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 1304 wrote to memory of 2036	1304	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 1304 wrote to memory of 2036	1304	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 2036 wrote to memory of 2040	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 2040	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 2040	2036	WScript.exe	cmd.exe
PID 2036 wrote to memory of 2040	2036	WScript.exe	cmd.exe
PID 2040 wrote to memory of 560	2040	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 2040 wrote to memory of 560	2040	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 2040 wrote to memory of 560	2040	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 2040 wrote to memory of 560	2040	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 560 wrote to memory of 1564	560	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 560 wrote to memory of 1564	560	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 560 wrote to memory of 1564	560	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 560 wrote to memory of 1564	560	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 1564 wrote to memory of 888	1564	WScript.exe	cmd.exe
PID 1564 wrote to memory of 888	1564	WScript.exe	cmd.exe
PID 1564 wrote to memory of 888	1564	WScript.exe	cmd.exe
PID 1564 wrote to memory of 888	1564	WScript.exe	cmd.exe
PID 888 wrote to memory of 1800	888	cmd.exe	perfmonitor.exe
PID 888 wrote to memory of 1800	888	cmd.exe	perfmonitor.exe
PID 888 wrote to memory of 1800	888	cmd.exe	perfmonitor.exe
PID 888 wrote to memory of 1800	888	cmd.exe	perfmonitor.exe
PID 1800 wrote to memory of 1552	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1552	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1552	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1872	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1872	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1872	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1360	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1360	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1360	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1804	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1804	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1804	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 896	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 896	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 896	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1424	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1424	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 1424	1800	perfmonitor.exe	schtasks.exe
PID 1800 wrote to memory of 112	1800	perfmonitor.exe	lsass.exe
PID 1800 wrote to memory of 112	1800	perfmonitor.exe	lsass.exe
PID 1800 wrote to memory of 112	1800	perfmonitor.exe	lsass.exe
PID 888 wrote to memory of 1808	888	cmd.exe	reg.exe
PID 888 wrote to memory of 1808	888	cmd.exe	reg.exe
PID 888 wrote to memory of 1808	888	cmd.exe	reg.exe
PID 888 wrote to memory of 1808	888	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
"C:\Users\Admin\AppData\Local\Temp\1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\drivermonitor\4qNDwmvSj8xJ6Z6hiFZ2OUEcJWousp.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\drivermonitor\WrDH3qxAUkYzRGJWCqUjcyX8OGrecF.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
iO6BC8dEqKOXouWDXhji.exe -p296553e2f28a32964db134d3c17bd5db737ec6f7
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\drivermonitor\fNuDzHcCRjKDzRwLXgvHYjdASw36KH.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\drivermonitor\2Jb67kEpEt5BmuM24xMYsb9CsVyC3N.bat" "
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\drivermonitor\perfmonitor.exe
"C:\drivermonitor\perfmonitor.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\lsass.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\drivermonitor\smss.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\drivermonitor\System.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\conhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Desktop\lsass.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1424

C:\ProgramData\Desktop\lsass.exe
"C:\ProgramData\Desktop\lsass.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
7⤵
- Modifies registry key
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Desktop\lsass.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\Users\Public\Desktop\lsass.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\drivermonitor\2Jb67kEpEt5BmuM24xMYsb9CsVyC3N.bat
Filesize
146B

MD5
a260d4fabc68d4d615f881a0e0487add

SHA1
af29a4ef4918106dcdb159fa66e39812e1cf7cc8

SHA256
5c20c8e1a6465d06b3c776a17f61bc725e881d3a214ef542bd94fe13ede67ead

SHA512
3c0bb7d9db723a321de3ee5e327d6f063201f7849c92d1f35b34ca331a63cd7fae784de76b600f93fa507b828176533a6824cbd20cd14b4c8124b2505e360020

Download Submit
C:\drivermonitor\4qNDwmvSj8xJ6Z6hiFZ2OUEcJWousp.vbe
Filesize
149B

MD5
53b63135fe5b3302b65313cc4f13abf7

SHA1
dde8fdd1e47210935039b8b5b11e046b04686a84

SHA256
a6fcc6c0a13f0148a3e0f69218c64ca5e3184ea6878ef3ed4bf098ee167b5fe3

SHA512
744c5b6955c1548dd889347e92483a97b95346fd305cc8059c6e971474b24c6f8b8d8fc400fd4acd541e6cdd6041a30cc3aa2b45c82c95c67a9e2335e1ef9de6

Download Submit
C:\drivermonitor\WrDH3qxAUkYzRGJWCqUjcyX8OGrecF.bat
Filesize
508B

MD5
69edf82a5021137d0d297b4eb32652b7

SHA1
a01a5f4281c369067b28ac54a10378c12feaec61

SHA256
6a48a3b6a91c38bb920bc524965374102fb8b895e5ac82fbb2b51ba0bc6b3b5d

SHA512
0df2b547b7443d056dcc1334535aeefc2b7576a568684268a9cf7c027fa47be0b6c37f58f3b5ba62bef5a09a2d26e59d9f972014431e3c26ae07e29d7f127660

Download Submit
C:\drivermonitor\fNuDzHcCRjKDzRwLXgvHYjdASw36KH.vbe
Filesize
225B

MD5
c70da5d8a3b2a1c1482bfa6b1cfe3d20

SHA1
6d18697f057d9cea49bfc9551e6f5f538fcfdaf8

SHA256
3d888081e832729b3a7980fb0dfa384c56d42d321ac53d1fd25713b753279635

SHA512
7299d531c3425c2544160f848bceef72ee9b3b066dad8feaa7c2ad4f7a9a7a2ec73812a19ccfb92c8463418e8412398a0328708aca7bd52f5452060c4cd116c4

Download Submit
C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
Filesize
443KB

MD5
9c0b0d1a1f0918fe58689d03fe740793

SHA1
acd40d521e320cae22c0dc449e5698d49902d0b8

SHA256
e93280a8c9b9d237d99185d98722268965e8746b852c58690a1c9704cff8d887

SHA512
6ec9b1b103d9cc389c6bbda3df08504b0dea6edfc298203100de05f4d33e36763f7596a0081b29ea2ff6124814a294e76bc5203fc27095a6c4c89ed717d3e6dc

Download Submit
C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
Filesize
443KB

MD5
9c0b0d1a1f0918fe58689d03fe740793

SHA1
acd40d521e320cae22c0dc449e5698d49902d0b8

SHA256
e93280a8c9b9d237d99185d98722268965e8746b852c58690a1c9704cff8d887

SHA512
6ec9b1b103d9cc389c6bbda3df08504b0dea6edfc298203100de05f4d33e36763f7596a0081b29ea2ff6124814a294e76bc5203fc27095a6c4c89ed717d3e6dc

Download Submit
C:\drivermonitor\perfmonitor.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\drivermonitor\perfmonitor.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
Filesize
443KB

MD5
9c0b0d1a1f0918fe58689d03fe740793

SHA1
acd40d521e320cae22c0dc449e5698d49902d0b8

SHA256
e93280a8c9b9d237d99185d98722268965e8746b852c58690a1c9704cff8d887

SHA512
6ec9b1b103d9cc389c6bbda3df08504b0dea6edfc298203100de05f4d33e36763f7596a0081b29ea2ff6124814a294e76bc5203fc27095a6c4c89ed717d3e6dc

Download Submit
\drivermonitor\perfmonitor.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
memory/112-85-0x0000000000A60000-0x0000000000AD4000-memory.dmp

Filesize
464KB

Download
memory/112-81-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/888-69-0x0000000000000000-mapping.dmp

Download
memory/896-79-0x0000000000000000-mapping.dmp

Download
memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1360-77-0x0000000000000000-mapping.dmp

Download
memory/1424-80-0x0000000000000000-mapping.dmp

Download
memory/1552-75-0x0000000000000000-mapping.dmp

Download
memory/1564-65-0x0000000000000000-mapping.dmp

Download
memory/1800-74-0x0000000000160000-0x00000000001D4000-memory.dmp

Filesize
464KB

Download
memory/1800-71-0x0000000000000000-mapping.dmp

Download
memory/1804-78-0x0000000000000000-mapping.dmp

Download
memory/1808-84-0x0000000000000000-mapping.dmp

Download
memory/1872-76-0x0000000000000000-mapping.dmp

Download
memory/2036-55-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download