dcrat | 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

General

Target

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Size

365KB
MD5

26aac416b405eb46f35b28dbab437670
SHA1

dd2e2c39196d4a524f1b28c4f5bdf39105c97f81
SHA256

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd
SHA512

383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411
SSDEEP

6144:61g8VILtCndjKC4gHAAcVKzNJkjNo22iHQSgg9tkaHgHNHbNNHvJoHHNHgzF2N7v:6fndjHdcIiJ2iHQSgg9tkaHgHNHbNNHq

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4300-132-0x000001E9E3B10000-0x000001E9E3B74000-memory.dmp	dcrat
C:\Users\fontdrvhost.exe	dcrat
C:\Documents and Settings\fontdrvhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

1412 fontdrvhost.exe

pid	process
1412	fontdrvhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\fr-FR\560854153607923c4c5f107085a7db67be01f252	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Program Files\Windows Defender\fr-FR\wininit.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

Drops file in Windows directory 6 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	ioc	process
File opened for modification	C:\Windows\Vss\Writers\Application\taskhostw.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\Vss\Writers\Application\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\upfc.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\ea1d8f6d871115e19e634087152e4aa43b875a69	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\CSC\csrss.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
File created	C:\Windows\Vss\Writers\Application\taskhostw.exe	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3376 schtasks.exe
444 schtasks.exe
840 schtasks.exe
5092 schtasks.exe
4932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exefontdrvhost.exe

pid process

4300 948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
1412 fontdrvhost.exe

pid	process
3376	schtasks.exe
444	schtasks.exe
840	schtasks.exe
5092	schtasks.exe
4932	schtasks.exe

pid	process
4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
1412	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
Token: SeDebugPrivilege	1412	fontdrvhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe

description	pid	process	target process
PID 4300 wrote to memory of 4932	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 4932	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 3376	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 3376	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 444	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 444	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 840	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 840	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 5092	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 5092	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	schtasks.exe
PID 4300 wrote to memory of 1412	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	fontdrvhost.exe
PID 4300 wrote to memory of 1412	4300	948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe
"C:\Users\Admin\AppData\Local\Temp\948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\taskhostw.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxMetadata\upfc.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3376

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:444

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\wininit.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:5092

C:\Documents and Settings\fontdrvhost.exe
"C:\Documents and Settings\fontdrvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\fontdrvhost.exe
Filesize
365KB

MD5
26aac416b405eb46f35b28dbab437670

SHA1
dd2e2c39196d4a524f1b28c4f5bdf39105c97f81

SHA256
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

SHA512
383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411

Download Submit
C:\Users\fontdrvhost.exe
Filesize
365KB

MD5
26aac416b405eb46f35b28dbab437670

SHA1
dd2e2c39196d4a524f1b28c4f5bdf39105c97f81

SHA256
948246c1a33831495f4166e1a4797ec5e20b8bbb4b723979baed6c8d9bbfb6fd

SHA512
383b3bc7aad95d6f77f4671d74ae93d73072aea1a3e5d6e3da035ec3b5b60d35cd3558cd6da2f781f7854778cd5a148edbb065f750f30c92c303d235ceaa8411

Download Submit
memory/444-137-0x0000000000000000-mapping.dmp

Download
memory/840-138-0x0000000000000000-mapping.dmp

Download
memory/1412-140-0x0000000000000000-mapping.dmp

Download
memory/1412-144-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/1412-145-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/1412-146-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/3376-136-0x0000000000000000-mapping.dmp

Download
memory/4300-132-0x000001E9E3B10000-0x000001E9E3B74000-memory.dmp

Filesize
400KB

Download
memory/4300-134-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/4300-133-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/4300-143-0x00007FFEB0DB0000-0x00007FFEB1871000-memory.dmp

Filesize
10.8MB

Download
memory/4932-135-0x0000000000000000-mapping.dmp

Download
memory/5092-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads