dcrat | 1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b

Analysis

max time kernel
129s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
Size

568KB
MD5

964c865ff8000d828844c15a893b6a01
SHA1

f515cc005445d2090319a8345154bcf59f3824a1
SHA256

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b
SHA512

230b0924c9fcdf67d03ce8b229d042286a2c99117f472691c3b7691bc34d4519825346ae1a279ea498c728c66e8240e4c4f20bceed40028036468ae1a926f66c
SSDEEP

12288:9Qnk3GDYKGcbloTn85eZV8D5ubjObv+hq6arF+6dS:HAOcZEnOeZ+k++q6arFTQ

Score

10^/10

dcrat evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\drivermonitor\perfmonitor.exe	dcrat
C:\drivermonitor\perfmonitor.exe	dcrat
behavioral2/memory/5028-146-0x0000020395D60000-0x0000020395DD4000-memory.dmp	dcrat
C:\odt\csrss.exe	dcrat
C:\odt\csrss.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

iO6BC8dEqKOXouWDXhji.exeperfmonitor.execsrss.exe

pid process

384 iO6BC8dEqKOXouWDXhji.exe
5028 perfmonitor.exe
3528 csrss.exe

pid	process
384	iO6BC8dEqKOXouWDXhji.exe
5028	perfmonitor.exe
3528	csrss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exeWScript.exeiO6BC8dEqKOXouWDXhji.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	iO6BC8dEqKOXouWDXhji.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

perfmonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	perfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3464 schtasks.exe
652 schtasks.exe
4320 schtasks.exe
4424 schtasks.exe

pid	process
3464	schtasks.exe
652	schtasks.exe
4320	schtasks.exe
4424	schtasks.exe

Modifies registry class 2 IoCs

Processes:

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exeiO6BC8dEqKOXouWDXhji.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	iO6BC8dEqKOXouWDXhji.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2572 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

perfmonitor.execsrss.exe

pid process

5028 perfmonitor.exe
3528 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

perfmonitor.execsrss.exe

description pid process

Token: SeDebugPrivilege 5028 perfmonitor.exe
Token: SeDebugPrivilege 3528 csrss.exe

pid	process
2572	reg.exe

pid	process
5028	perfmonitor.exe
3528	csrss.exe

description	pid	process
Token: SeDebugPrivilege	5028	perfmonitor.exe
Token: SeDebugPrivilege	3528	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exeWScript.execmd.exeiO6BC8dEqKOXouWDXhji.exeWScript.execmd.exeperfmonitor.exe

description	pid	process	target process
PID 4844 wrote to memory of 3068	4844	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 4844 wrote to memory of 3068	4844	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 4844 wrote to memory of 3068	4844	1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe	WScript.exe
PID 3068 wrote to memory of 1960	3068	WScript.exe	cmd.exe
PID 3068 wrote to memory of 1960	3068	WScript.exe	cmd.exe
PID 3068 wrote to memory of 1960	3068	WScript.exe	cmd.exe
PID 1960 wrote to memory of 384	1960	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 1960 wrote to memory of 384	1960	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 1960 wrote to memory of 384	1960	cmd.exe	iO6BC8dEqKOXouWDXhji.exe
PID 384 wrote to memory of 1272	384	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 384 wrote to memory of 1272	384	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 384 wrote to memory of 1272	384	iO6BC8dEqKOXouWDXhji.exe	WScript.exe
PID 1272 wrote to memory of 340	1272	WScript.exe	cmd.exe
PID 1272 wrote to memory of 340	1272	WScript.exe	cmd.exe
PID 1272 wrote to memory of 340	1272	WScript.exe	cmd.exe
PID 340 wrote to memory of 5028	340	cmd.exe	perfmonitor.exe
PID 340 wrote to memory of 5028	340	cmd.exe	perfmonitor.exe
PID 5028 wrote to memory of 4320	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 4320	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 4424	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 4424	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 3464	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 3464	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 652	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 652	5028	perfmonitor.exe	schtasks.exe
PID 5028 wrote to memory of 3528	5028	perfmonitor.exe	csrss.exe
PID 5028 wrote to memory of 3528	5028	perfmonitor.exe	csrss.exe
PID 340 wrote to memory of 2572	340	cmd.exe	reg.exe
PID 340 wrote to memory of 2572	340	cmd.exe	reg.exe
PID 340 wrote to memory of 2572	340	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe
"C:\Users\Admin\AppData\Local\Temp\1d439ec54ed1429fac4862177dabb8281a6ff601cd74d6068a0ecee37ffc521b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\drivermonitor\4qNDwmvSj8xJ6Z6hiFZ2OUEcJWousp.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\drivermonitor\WrDH3qxAUkYzRGJWCqUjcyX8OGrecF.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
iO6BC8dEqKOXouWDXhji.exe -p296553e2f28a32964db134d3c17bd5db737ec6f7
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\drivermonitor\fNuDzHcCRjKDzRwLXgvHYjdASw36KH.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\drivermonitor\2Jb67kEpEt5BmuM24xMYsb9CsVyC3N.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\drivermonitor\perfmonitor.exe
"C:\drivermonitor\perfmonitor.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4320

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Idle.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4424

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:3464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:652

C:\odt\csrss.exe
"C:\odt\csrss.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
7⤵
- Modifies registry key
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\drivermonitor\2Jb67kEpEt5BmuM24xMYsb9CsVyC3N.bat
Filesize
146B

MD5
a260d4fabc68d4d615f881a0e0487add

SHA1
af29a4ef4918106dcdb159fa66e39812e1cf7cc8

SHA256
5c20c8e1a6465d06b3c776a17f61bc725e881d3a214ef542bd94fe13ede67ead

SHA512
3c0bb7d9db723a321de3ee5e327d6f063201f7849c92d1f35b34ca331a63cd7fae784de76b600f93fa507b828176533a6824cbd20cd14b4c8124b2505e360020

Download Submit
C:\drivermonitor\4qNDwmvSj8xJ6Z6hiFZ2OUEcJWousp.vbe
Filesize
149B

MD5
53b63135fe5b3302b65313cc4f13abf7

SHA1
dde8fdd1e47210935039b8b5b11e046b04686a84

SHA256
a6fcc6c0a13f0148a3e0f69218c64ca5e3184ea6878ef3ed4bf098ee167b5fe3

SHA512
744c5b6955c1548dd889347e92483a97b95346fd305cc8059c6e971474b24c6f8b8d8fc400fd4acd541e6cdd6041a30cc3aa2b45c82c95c67a9e2335e1ef9de6

Download Submit
C:\drivermonitor\WrDH3qxAUkYzRGJWCqUjcyX8OGrecF.bat
Filesize
508B

MD5
69edf82a5021137d0d297b4eb32652b7

SHA1
a01a5f4281c369067b28ac54a10378c12feaec61

SHA256
6a48a3b6a91c38bb920bc524965374102fb8b895e5ac82fbb2b51ba0bc6b3b5d

SHA512
0df2b547b7443d056dcc1334535aeefc2b7576a568684268a9cf7c027fa47be0b6c37f58f3b5ba62bef5a09a2d26e59d9f972014431e3c26ae07e29d7f127660

Download Submit
C:\drivermonitor\fNuDzHcCRjKDzRwLXgvHYjdASw36KH.vbe
Filesize
225B

MD5
c70da5d8a3b2a1c1482bfa6b1cfe3d20

SHA1
6d18697f057d9cea49bfc9551e6f5f538fcfdaf8

SHA256
3d888081e832729b3a7980fb0dfa384c56d42d321ac53d1fd25713b753279635

SHA512
7299d531c3425c2544160f848bceef72ee9b3b066dad8feaa7c2ad4f7a9a7a2ec73812a19ccfb92c8463418e8412398a0328708aca7bd52f5452060c4cd116c4

Download Submit
C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
Filesize
443KB

MD5
9c0b0d1a1f0918fe58689d03fe740793

SHA1
acd40d521e320cae22c0dc449e5698d49902d0b8

SHA256
e93280a8c9b9d237d99185d98722268965e8746b852c58690a1c9704cff8d887

SHA512
6ec9b1b103d9cc389c6bbda3df08504b0dea6edfc298203100de05f4d33e36763f7596a0081b29ea2ff6124814a294e76bc5203fc27095a6c4c89ed717d3e6dc

Download Submit
C:\drivermonitor\iO6BC8dEqKOXouWDXhji.exe
Filesize
443KB

MD5
9c0b0d1a1f0918fe58689d03fe740793

SHA1
acd40d521e320cae22c0dc449e5698d49902d0b8

SHA256
e93280a8c9b9d237d99185d98722268965e8746b852c58690a1c9704cff8d887

SHA512
6ec9b1b103d9cc389c6bbda3df08504b0dea6edfc298203100de05f4d33e36763f7596a0081b29ea2ff6124814a294e76bc5203fc27095a6c4c89ed717d3e6dc

Download Submit
C:\drivermonitor\perfmonitor.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\drivermonitor\perfmonitor.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\odt\csrss.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
C:\odt\csrss.exe
Filesize
439KB

MD5
d4234b8df716da817e4defe82b27d9e7

SHA1
b7b67bbf2465eeb930ac1c08abaf9b91c921aea7

SHA256
e224db280c30788edff21f573932189b2d28fd6b759e88705f796baa312d88fc

SHA512
3e339e8f20f1f52c635fbc567d174140a661fbfbfd444cf08d4894040c576f3eea5249ed1ea518082ad4f90f3c9de3790c01cd53e3cfd70c43886583f815ce10

Download Submit
memory/340-142-0x0000000000000000-mapping.dmp

Download
memory/384-136-0x0000000000000000-mapping.dmp

Download
memory/652-152-0x0000000000000000-mapping.dmp

Download
memory/1272-139-0x0000000000000000-mapping.dmp

Download
memory/1960-135-0x0000000000000000-mapping.dmp

Download
memory/2572-157-0x0000000000000000-mapping.dmp

Download
memory/3068-132-0x0000000000000000-mapping.dmp

Download
memory/3464-151-0x0000000000000000-mapping.dmp

Download
memory/3528-153-0x0000000000000000-mapping.dmp

Download
memory/3528-158-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-159-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-160-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-149-0x0000000000000000-mapping.dmp

Download
memory/4424-150-0x0000000000000000-mapping.dmp

Download
memory/5028-148-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-147-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-146-0x0000020395D60000-0x0000020395DD4000-memory.dmp

Filesize
464KB

Download
memory/5028-156-0x00007FFF6FBE0000-0x00007FFF706A1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-143-0x0000000000000000-mapping.dmp

Download