dcrat | abc85c0172af7fd9f02deb9c2d39a6416820f94ab98683b815566cee52afac16

General

Target

ca9e6c2fd24c050a88fa6435a2352665.exe
Size

2.6MB
MD5

ca9e6c2fd24c050a88fa6435a2352665
SHA1

d653a50565cba4820e118a8c80dcf15129623d4d
SHA256

abc85c0172af7fd9f02deb9c2d39a6416820f94ab98683b815566cee52afac16
SHA512

5ab9b9469371d50d6c86834a6553de9feeadb3f02e7369ed46c02f77cbf8832293639dd973ef921fc70b6be42dd49289e8bbccb83cb0364d3a7d670f3fdbe3a9
SSDEEP

49152:ObA3+EwmizGbCD5mKTnkPCCR9JLQ7v4p1P05BVKNiWV053rwEJMZa:ObOwmiUoX7kPCCR/Li4p1IVKNk53rwEL

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	1640	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
C:\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
behavioral2/memory/1936-139-0x0000000000E80000-0x00000000010B8000-memory.dmp	dcrat
C:\reviewintohostDllSvc\fontdrvhost.exe	dcrat
C:\reviewintohostDllSvc\fontdrvhost.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

Chaindriverdll.exefontdrvhost.exe

pid process

1936 Chaindriverdll.exe
2484 fontdrvhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeChaindriverdll.execa9e6c2fd24c050a88fa6435a2352665.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Chaindriverdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ca9e6c2fd24c050a88fa6435a2352665.exe

Drops file in Program Files directory 4 IoCs

Processes:

Chaindriverdll.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe	Chaindriverdll.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\eddb19405b7ce1	Chaindriverdll.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	Chaindriverdll.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	Chaindriverdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1092	schtasks.exe
3204	schtasks.exe
3120	schtasks.exe
2920	schtasks.exe
4968	schtasks.exe
4484	schtasks.exe
4572	schtasks.exe
3048	schtasks.exe
5096	schtasks.exe
4136	schtasks.exe
4328	schtasks.exe
4412	schtasks.exe
712	schtasks.exe
5072	schtasks.exe
4124	schtasks.exe

Modifies registry class 1 IoCs

Processes:

ca9e6c2fd24c050a88fa6435a2352665.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	ca9e6c2fd24c050a88fa6435a2352665.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Chaindriverdll.exefontdrvhost.exe

pid	process
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
1936	Chaindriverdll.exe
2484	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Chaindriverdll.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 1936 Chaindriverdll.exe
Token: SeDebugPrivilege 2484 fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	1936	Chaindriverdll.exe
Token: SeDebugPrivilege	2484	fontdrvhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ca9e6c2fd24c050a88fa6435a2352665.exeWScript.execmd.exeChaindriverdll.exe

description	pid	process	target process
PID 4772 wrote to memory of 1684	4772	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 4772 wrote to memory of 1684	4772	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 4772 wrote to memory of 1684	4772	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 1684 wrote to memory of 956	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 956	1684	WScript.exe	cmd.exe
PID 1684 wrote to memory of 956	1684	WScript.exe	cmd.exe
PID 956 wrote to memory of 1936	956	cmd.exe	Chaindriverdll.exe
PID 956 wrote to memory of 1936	956	cmd.exe	Chaindriverdll.exe
PID 1936 wrote to memory of 2484	1936	Chaindriverdll.exe	fontdrvhost.exe
PID 1936 wrote to memory of 2484	1936	Chaindriverdll.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\ca9e6c2fd24c050a88fa6435a2352665.exe
"C:\Users\Admin\AppData\Local\Temp\ca9e6c2fd24c050a88fa6435a2352665.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\reviewintohostDllSvc\hK5FNabO14OlK1cjw5m.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\reviewintohostDllSvc\RgJcLnW865IX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\reviewintohostDllSvc\Chaindriverdll.exe
"C:\reviewintohostDllSvc\Chaindriverdll.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\reviewintohostDllSvc\fontdrvhost.exe
"C:\reviewintohostDllSvc\fontdrvhost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\reviewintohostDllSvc\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\reviewintohostDllSvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\reviewintohostDllSvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\RgJcLnW865IX.bat
Filesize
44B

MD5
93d7ee0683bafe1efc043cfd7bf8ca8f

SHA1
8e38233ffc87bea1d0b479dcee37defc788a1141

SHA256
1eb4ad6004d70625a5b8ddc143093b93ce7a59abb8fac01b315e4815d1dcfd1d

SHA512
046d3b8601772431c7aa060186e3f9bb358a479d35af4557e3b2820aab01c8429a3df032141f2feb4cd9fa87e74e8513a168fe45d0085474fcc0a93c1cd3ab71

Download Submit
C:\reviewintohostDllSvc\fontdrvhost.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\fontdrvhost.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\hK5FNabO14OlK1cjw5m.vbe
Filesize
209B

MD5
1154819bdb0f3db2baea3f24c737fb1e

SHA1
ee6440e6dde7bf316764066769308ce27d6b12b4

SHA256
83cb8703cd9dadf0d1147f1fc0b7791935c41e037c4eb30cb672901ccb0e6769

SHA512
402cbb74d62523179f20a12b4fcb2706c119f8054e6ff870bd83e73ce3aacca490001b0a2b2da59affe4fa09491ff72bc27c6e4d95fad43cc12721a26c913ca4

Download Submit
memory/956-135-0x0000000000000000-mapping.dmp

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1936-136-0x0000000000000000-mapping.dmp

Download
memory/1936-141-0x000000001CF70000-0x000000001CFC0000-memory.dmp

Filesize
320KB

Download
memory/1936-140-0x00007FFC106D0000-0x00007FFC11191000-memory.dmp

Filesize
10.8MB

Download
memory/1936-139-0x0000000000E80000-0x00000000010B8000-memory.dmp

Filesize
2.2MB

Download
memory/1936-145-0x00007FFC106D0000-0x00007FFC11191000-memory.dmp

Filesize
10.8MB

Download
memory/2484-142-0x0000000000000000-mapping.dmp

Download
memory/2484-146-0x00007FFC106D0000-0x00007FFC11191000-memory.dmp

Filesize
10.8MB

Download
memory/2484-147-0x00007FFC106D0000-0x00007FFC11191000-memory.dmp

Filesize
10.8MB

Download
memory/2484-148-0x00007FFC106D0000-0x00007FFC11191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads