dcrat | f729b1f245206764aec8b16491884978effc91030735430d5d906c06c4761a5c

General

Target

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Size

532KB
MD5

7fbdb2f5c7830894d0436a8291e1231f
SHA1

22a13d9bacb8dcf04eb0260999f75fed68d21d0a
SHA256

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152
SHA512

186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d
SSDEEP

12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\", \"C:\\Users\\Public\\Desktop\\spoolsv.exe\", \"C:\\Users\\Admin\\Videos\\Idle.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\", \"C:\\Users\\Public\\Desktop\\spoolsv.exe\", \"C:\\Users\\Admin\\Videos\\Idle.exe\", \"C:\\Documents and Settings\\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\", \"C:\\Users\\Public\\Desktop\\spoolsv.exe\", \"C:\\Users\\Admin\\Videos\\Idle.exe\", \"C:\\Documents and Settings\\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe\", \"C:\\Documents and Settings\\lsass.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\", \"C:\\Users\\Public\\Desktop\\spoolsv.exe\", \"C:\\Users\\Admin\\Videos\\Idle.exe\", \"C:\\Documents and Settings\\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe\", \"C:\\Documents and Settings\\lsass.exe\", \"C:\\Windows\\notepad\\explorer.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\", \"C:\\Users\\Public\\Desktop\\spoolsv.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1428-54-0x0000000000920000-0x00000000009AC000-memory.dmp	dcrat
C:\Users\Public\Desktop\spoolsv.exe	dcrat
C:\Users\Public\Desktop\spoolsv.exe	dcrat
behavioral1/memory/1524-69-0x00000000002D0000-0x000000000035C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

1524 spoolsv.exe

pid	process
1524	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Desktop\\spoolsv.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Videos\\Idle.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152 = "\"C:\\Documents and Settings\\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152 = "\"C:\\Documents and Settings\\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\CertPolEng\\sppsvc.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Desktop\\spoolsv.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Videos\\Idle.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

Drops file in System32 directory 3 IoCs

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

description	ioc	process
File created	C:\Windows\System32\CertPolEng\sppsvc.exe	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
File opened for modification	C:\Windows\System32\CertPolEng\sppsvc.exe	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
File created	C:\Windows\System32\CertPolEng\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

Drops file in Windows directory 2 IoCs

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

description	ioc	process
File created	C:\Windows\notepad\explorer.exe	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
File created	C:\Windows\notepad\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2032 schtasks.exe
272 schtasks.exe
556 schtasks.exe
616 schtasks.exe
1172 schtasks.exe
1504 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

108 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exespoolsv.exe

pid process

1428 25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
1524 spoolsv.exe

pid	process
2032	schtasks.exe
272	schtasks.exe
556	schtasks.exe
616	schtasks.exe
1172	schtasks.exe
1504	schtasks.exe

pid	process
108	PING.EXE

pid	process
1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
1524	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exespoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
Token: SeDebugPrivilege	1524	spoolsv.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 2032	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 2032	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 2032	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 272	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 272	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 272	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 556	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 556	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 556	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 616	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 616	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 616	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1172	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1172	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1172	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1504	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1504	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1504	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	schtasks.exe
PID 1428 wrote to memory of 1624	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	cmd.exe
PID 1428 wrote to memory of 1624	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	cmd.exe
PID 1428 wrote to memory of 1624	1428	25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe	cmd.exe
PID 1624 wrote to memory of 1744	1624	cmd.exe	chcp.com
PID 1624 wrote to memory of 1744	1624	cmd.exe	chcp.com
PID 1624 wrote to memory of 1744	1624	cmd.exe	chcp.com
PID 1624 wrote to memory of 108	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 108	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 108	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 1524	1624	cmd.exe	spoolsv.exe
PID 1624 wrote to memory of 1524	1624	cmd.exe	spoolsv.exe
PID 1624 wrote to memory of 1524	1624	cmd.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe
"C:\Users\Admin\AppData\Local\Temp\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\CertPolEng\sppsvc.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152" /sc ONLOGON /tr "'C:\Documents and Settings\25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\49wBhIhsvn.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1744

C:\Windows\system32\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:108

C:\Users\Public\Desktop\spoolsv.exe
"C:\Users\Public\Desktop\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49wBhIhsvn.bat

Filesize
201B

MD5
ff4325bcb8ecb86f96c8048975523922

SHA1
23a70b8dc42fb0761f7810b2b3ee287e23482be6

SHA256
c8b25e411c39bab8ae74c14940e20524cdbd8730aa208c17d07d233ad932e33d

SHA512
0d5d91582afcebc467e0abdcc92348ac36e97639c347729f827b07f610d372274e979c0aa32b7036240c343a68eb910a8c0a098a9737b9853af825bd57d5cb7a

Download Submit
C:\Users\Public\Desktop\spoolsv.exe

Filesize
532KB

MD5
7fbdb2f5c7830894d0436a8291e1231f

SHA1
22a13d9bacb8dcf04eb0260999f75fed68d21d0a

SHA256
25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

SHA512
186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d

Download Submit
C:\Users\Public\Desktop\spoolsv.exe

Filesize
532KB

MD5
7fbdb2f5c7830894d0436a8291e1231f

SHA1
22a13d9bacb8dcf04eb0260999f75fed68d21d0a

SHA256
25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

SHA512
186f41e9bf79dd0e3711c95d2a73ac734efe83b2321f4f5cd920bf21e95c4075829780d91adbce471335a76cc786a68d8162447b6032465def9d54e8e6b36c1d

Download Submit
memory/108-65-0x0000000000000000-mapping.dmp

Download
memory/272-56-0x0000000000000000-mapping.dmp

Download
memory/556-57-0x0000000000000000-mapping.dmp

Download
memory/616-58-0x0000000000000000-mapping.dmp

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1428-61-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1428-54-0x0000000000920000-0x00000000009AC000-memory.dmp

Filesize
560KB

Download
memory/1504-60-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x0000000000000000-mapping.dmp

Download
memory/1524-69-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download
memory/1624-62-0x0000000000000000-mapping.dmp

Download
memory/1744-64-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads