dcrat | a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
Size

1.1MB
MD5

4d3227c49bb3db6940a04296e0c7ad1b
SHA1

21a152feb2ef0ffba34587b63a832bf47c696be5
SHA256

a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b
SHA512

1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058
SSDEEP

24576:tOX6SP7prgJDBT5HHcwsQMghdR/O483h4vAe+4:edeDBT5cbQhnbk

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	940	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/788-54-0x0000000000E60000-0x0000000000F78000-memory.dmp	dcrat
C:\Users\Public\Recorded TV\sppsvc.exe	dcrat
C:\Users\Public\Recorded TV\sppsvc.exe	dcrat
behavioral1/memory/1856-63-0x0000000000DF0000-0x0000000000F08000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

1856 sppsvc.exe

pid	process
1856	sppsvc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Templates\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Recorded TV\\sppsvc.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\hidphone\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe

Drops file in System32 directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe

description	ioc	process
File created	C:\Windows\System32\hidphone\dwm.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
File created	C:\Windows\System32\hidphone\6cb0b6c459d5d3455a3da700e713f2e2529862ff	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1928 schtasks.exe
1092 schtasks.exe
1364 schtasks.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

1856 sppsvc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exesppsvc.exe

pid process

788 HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
1856 sppsvc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exesppsvc.exe

description pid process

Token: SeDebugPrivilege 788 HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
Token: SeDebugPrivilege 1856 sppsvc.exe

pid	process
1928	schtasks.exe
1092	schtasks.exe
1364	schtasks.exe

pid	process
1856	sppsvc.exe

pid	process
788	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
1856	sppsvc.exe

description	pid	process
Token: SeDebugPrivilege	788	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
Token: SeDebugPrivilege	1856	sppsvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.execmd.exe

description	pid	process	target process
PID 788 wrote to memory of 1748	788	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe	cmd.exe
PID 788 wrote to memory of 1748	788	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe	cmd.exe
PID 788 wrote to memory of 1748	788	HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe	cmd.exe
PID 1748 wrote to memory of 316	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 316	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 316	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 1464	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1464	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1464	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1856	1748	cmd.exe	sppsvc.exe
PID 1748 wrote to memory of 1856	1748	cmd.exe	sppsvc.exe
PID 1748 wrote to memory of 1856	1748	cmd.exe	sppsvc.exe
PID 1748 wrote to memory of 1856	1748	cmd.exe	sppsvc.exe
PID 1748 wrote to memory of 1856	1748	cmd.exe	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-a7c4851eb45e.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ak7g01k3cv.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:316

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1464

C:\Users\Public\Recorded TV\sppsvc.exe
"C:\Users\Public\Recorded TV\sppsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\hidphone\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ak7g01k3cv.bat

Filesize
254B

MD5
5e250122cade80822b07a9687d8dd385

SHA1
989f5f2148d32aed00955c05c6ebaa4dddeb0b4d

SHA256
6a740122d3b4e8c90ded8dba9edb5df9f64f0f06a079a68b413838a122a73f6d

SHA512
59e7c6bb3bb928cd3d9cf7bc5afb61fc260e8d795b43a6552b8b691f949530f2f44a450b58eea9f27c0b927f4c7bb70c836df46f6874407ac8f12a96ab791eee

Download Submit
C:\Users\Public\Recorded TV\sppsvc.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
C:\Users\Public\Recorded TV\sppsvc.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
memory/316-58-0x0000000000000000-mapping.dmp

Download
memory/788-54-0x0000000000E60000-0x0000000000F78000-memory.dmp

Filesize
1.1MB

Download
memory/788-55-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1464-59-0x0000000000000000-mapping.dmp

Download
memory/1748-56-0x0000000000000000-mapping.dmp

Download
memory/1856-61-0x0000000000000000-mapping.dmp

Download
memory/1856-63-0x0000000000DF0000-0x0000000000F08000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads