dcrat | 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

General

Target

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Size

365KB
MD5

26aac416b405eb46f35b28dbab437670
SHA1

dd2e2c39196d4a524f1b28c4f5bdf39105c97f81
SHA256

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd
SHA512

383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411
SSDEEP

6144:61g8VILtCndjKC4gHAAcVKzNJkjNo22iHQSgg9tkaHgHNHbNNHvJoHHNHgzF2N7v:6fndjHdcIiJ2iHQSgg9tkaHgHNHbNNHq

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1948-54-0x0000000001130000-0x0000000001194000-memory.dmp	dcrat
C:\ProgramData\Adobe\Acrobat\9.0\taskhost.exe	dcrat
C:\Users\All Users\Adobe\Acrobat\9.0\taskhost.exe	dcrat
behavioral1/memory/364-62-0x00000000001A0000-0x0000000000204000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

364 taskhost.exe

pid	process
364	taskhost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Application Data\\explorer.exe\""	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Offline Web Pages\\lsass.exe\""	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\taskhost.exe\""	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

Drops file in Program Files directory 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64d8139363b71e44ac16341adf4e	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

Drops file in Windows directory 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	ioc	process
File created	C:\Windows\Offline Web Pages\lsass.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\Offline Web Pages\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1772 schtasks.exe
1760 schtasks.exe
1724 schtasks.exe
1876 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exetaskhost.exe

pid process

1948 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
364 taskhost.exe

pid	process
1772	schtasks.exe
1760	schtasks.exe
1724	schtasks.exe
1876	schtasks.exe

pid	process
1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
364	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Token: SeDebugPrivilege	364	taskhost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1760	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1760	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1760	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1724	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1724	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1724	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1876	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1876	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1876	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1772	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1772	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 1772	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 1948 wrote to memory of 364	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	taskhost.exe
PID 1948 wrote to memory of 364	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	taskhost.exe
PID 1948 wrote to memory of 364	1948	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
"C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Application Data\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\taskhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1772

C:\Users\All Users\Adobe\Acrobat\9.0\taskhost.exe
"C:\Users\All Users\Adobe\Acrobat\9.0\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\taskhost.exe
Filesize
365KB

MD5
26aac416b405eb46f35b28dbab437670

SHA1
dd2e2c39196d4a524f1b28c4f5bdf39105c97f81

SHA256
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

SHA512
383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411

Download Submit
C:\Users\All Users\Adobe\Acrobat\9.0\taskhost.exe
Filesize
365KB

MD5
26aac416b405eb46f35b28dbab437670

SHA1
dd2e2c39196d4a524f1b28c4f5bdf39105c97f81

SHA256
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

SHA512
383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411

Download Submit
memory/364-59-0x0000000000000000-mapping.dmp

Download
memory/364-62-0x00000000001A0000-0x0000000000204000-memory.dmp

Filesize
400KB

Download
memory/1724-56-0x0000000000000000-mapping.dmp

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download
memory/1772-58-0x0000000000000000-mapping.dmp

Download
memory/1876-57-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000001130000-0x0000000001194000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads