dcrat | 9a15e76ca3d8fe65e5bb57588b186b6ba8602509c0b4c8d18955dfc73b7c2e36

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe
Size

1.4MB
MD5

7472b67b4bb85e3aefc12555fec10f36
SHA1

e7730285a02fe26e27ea752a84306c4229e8e623
SHA256

9a15e76ca3d8fe65e5bb57588b186b6ba8602509c0b4c8d18955dfc73b7c2e36
SHA512

07b9ace8dc62f85b66be782d4674ac08926a2e96f29c9cd6635063cba21c7ccdf49db94a1a7d100868473ee046e9fb03463ae818488f73feac764398297afd69
SSDEEP

24576:U2G/nvxW3Ww0t5OX6SP7prgJDBT5HHcwsQMghdR/O483h4vAe+4R:UbA30CdeDBT5cbQhnbku

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeintoRuntimeBrokerPerfsvcreviewHost.exeschtasks.exeschtasks.exe

pid	process
1548	schtasks.exe
1552	schtasks.exe
592	schtasks.exe
392	schtasks.exe
File created	C:\Windows\System32\msxml3r\wininit.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
584	schtasks.exe
276	schtasks.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1860	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe	dcrat
\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe	dcrat
C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe	dcrat
\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe	dcrat
behavioral1/memory/1428-65-0x0000000001200000-0x0000000001318000-memory.dmp	dcrat
C:\Windows\System32\msxml3r\wininit.exe	dcrat
C:\Windows\System32\msxml3r\wininit.exe	dcrat
behavioral1/memory/1036-73-0x0000000000350000-0x0000000000468000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

intoRuntimeBrokerPerfsvcreviewHost.exewininit.exe

pid process

1428 intoRuntimeBrokerPerfsvcreviewHost.exe
1036 wininit.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1468 cmd.exe
1468 cmd.exe

pid	process
1428	intoRuntimeBrokerPerfsvcreviewHost.exe
1036	wininit.exe

pid	process
1468	cmd.exe
1468	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

intoRuntimeBrokerPerfsvcreviewHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\sppnp\\csrss.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\dcomcnfg\\services.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\vmictimeprovider\\conhost.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\winbio\\lsass.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\winbrand\\conhost.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\msxml3r\\wininit.exe\""	intoRuntimeBrokerPerfsvcreviewHost.exe

Drops file in System32 directory 13 IoCs

Processes:

intoRuntimeBrokerPerfsvcreviewHost.exe

description	ioc	process
File created	C:\Windows\System32\winbio\lsass.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\winbrand\conhost.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\msxml3r\wininit.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File opened for modification	C:\Windows\System32\msxml3r\wininit.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\sppnp\csrss.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\dcomcnfg\services.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\vmictimeprovider\088424020bedd6b28ac7fd22ee35dcd7322895ce	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\winbrand\088424020bedd6b28ac7fd22ee35dcd7322895ce	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\msxml3r\560854153607923c4c5f107085a7db67be01f252	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\sppnp\886983d96e3d3e31032c679b2d4ea91b6c05afef	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\dcomcnfg\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\vmictimeprovider\conhost.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
File created	C:\Windows\System32\winbio\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	intoRuntimeBrokerPerfsvcreviewHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1548 schtasks.exe
1552 schtasks.exe
592 schtasks.exe
392 schtasks.exe
584 schtasks.exe
276 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

intoRuntimeBrokerPerfsvcreviewHost.exewininit.exe

pid process

1428 intoRuntimeBrokerPerfsvcreviewHost.exe
1036 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

intoRuntimeBrokerPerfsvcreviewHost.exewininit.exe

description pid process

Token: SeDebugPrivilege 1428 intoRuntimeBrokerPerfsvcreviewHost.exe
Token: SeDebugPrivilege 1036 wininit.exe

pid	process
1548	schtasks.exe
1552	schtasks.exe
592	schtasks.exe
392	schtasks.exe
584	schtasks.exe
276	schtasks.exe

pid	process
1428	intoRuntimeBrokerPerfsvcreviewHost.exe
1036	wininit.exe

description	pid	process
Token: SeDebugPrivilege	1428	intoRuntimeBrokerPerfsvcreviewHost.exe
Token: SeDebugPrivilege	1036	wininit.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exeWScript.execmd.exeintoRuntimeBrokerPerfsvcreviewHost.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 884	2036	HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe	WScript.exe
PID 2036 wrote to memory of 884	2036	HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe	WScript.exe
PID 2036 wrote to memory of 884	2036	HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe	WScript.exe
PID 2036 wrote to memory of 884	2036	HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe	WScript.exe
PID 884 wrote to memory of 1468	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1468	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1468	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1468	884	WScript.exe	cmd.exe
PID 1468 wrote to memory of 1428	1468	cmd.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
PID 1468 wrote to memory of 1428	1468	cmd.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
PID 1468 wrote to memory of 1428	1468	cmd.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
PID 1468 wrote to memory of 1428	1468	cmd.exe	intoRuntimeBrokerPerfsvcreviewHost.exe
PID 1428 wrote to memory of 1636	1428	intoRuntimeBrokerPerfsvcreviewHost.exe	cmd.exe
PID 1428 wrote to memory of 1636	1428	intoRuntimeBrokerPerfsvcreviewHost.exe	cmd.exe
PID 1428 wrote to memory of 1636	1428	intoRuntimeBrokerPerfsvcreviewHost.exe	cmd.exe
PID 1636 wrote to memory of 1020	1636	cmd.exe	chcp.com
PID 1636 wrote to memory of 1020	1636	cmd.exe	chcp.com
PID 1636 wrote to memory of 1020	1636	cmd.exe	chcp.com
PID 1636 wrote to memory of 568	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 568	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 568	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 1036	1636	cmd.exe	wininit.exe
PID 1636 wrote to memory of 1036	1636	cmd.exe	wininit.exe
PID 1636 wrote to memory of 1036	1636	cmd.exe	wininit.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-9a15e76ca3d8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intoRuntimeBrokerPerfsvc\Kse9GvoG6zztWApcqT09IoZvt.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\intoRuntimeBrokerPerfsvc\VWQpcgPADyKkuxJVEzL5.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe
"C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe"
4⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFnISYzBpQ.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1020

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:568

C:\Windows\System32\msxml3r\wininit.exe
"C:\Windows\System32\msxml3r\wininit.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\msxml3r\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\sppnp\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\dcomcnfg\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\vmictimeprovider\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\winbio\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\winbrand\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vFnISYzBpQ.bat

Filesize
255B

MD5
257d291bcf1210d862e2c03ee404acd8

SHA1
6bb601d92b80657719aa9000392c33403f835cbc

SHA256
d74598b69de568f8347597dd473c223cdc93728c77fdc14aad0357058f7a0ea1

SHA512
00c6ae69e7c6134930a2196735425b9e25d6cd1ca3c3a8e79e926ca7c2a1952f9d90db7adc917ac956d957cf45cbe055304bb1610dabba07d4c21a202c85d897

Download Submit
C:\Windows\System32\msxml3r\wininit.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
C:\Windows\System32\msxml3r\wininit.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
C:\intoRuntimeBrokerPerfsvc\Kse9GvoG6zztWApcqT09IoZvt.vbe

Filesize
221B

MD5
ee7a0ca43d3e2f06f4ffb7a3b81dee6e

SHA1
5f455c15d61e0fcf7a8cf0b34e13a129eaf21983

SHA256
bf5c167ad7cc9e829947f95bcf822a50d6584b70c7df3a5d3a5efb0097969746

SHA512
790202d75fa39b94f73abed09df2b86b569ec51cf13d76e5ce25071a70f51646f6c993a53dc0c8537042d17f79744200f9a8bdcfd28bd075a4c452d23f3fbeed

Download Submit
C:\intoRuntimeBrokerPerfsvc\VWQpcgPADyKkuxJVEzL5.bat

Filesize
68B

MD5
e46f01b0317b956c45b23d23af2c653b

SHA1
6632672bddb08844eed580deef1e63e937b7e16e

SHA256
bbabc7715a4d359f192f2b43f65157151d74f29eaf6dd2fae8356e9f93d4e25a

SHA512
2be651ea68f605734820c38c62e58a5bc5c357483a33e0be3a13fac1261d0ebc7468c2ba887244721355e8dc4dae1c7879379612a5bbd98c7a377944d74ce0dc

Download Submit
C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
C:\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
\intoRuntimeBrokerPerfsvc\intoRuntimeBrokerPerfsvcreviewHost.exe

Filesize
1.1MB

MD5
4d3227c49bb3db6940a04296e0c7ad1b

SHA1
21a152feb2ef0ffba34587b63a832bf47c696be5

SHA256
a7c4851eb45e364c5d00a0ac9604be177f5ce178525599f63995e3527ef4a93b

SHA512
1718378593be5159e53ff7ba36b5fe4eb72869cc9a9a05b100eda0414bc416ef65fefdb5a454e7948fab486897de91f0e245cfaed0539aebd1c98e0ce988f058

Download Submit
memory/568-69-0x0000000000000000-mapping.dmp

Download
memory/884-55-0x0000000000000000-mapping.dmp

Download
memory/1020-68-0x0000000000000000-mapping.dmp

Download
memory/1036-71-0x0000000000000000-mapping.dmp

Download
memory/1036-73-0x0000000000350000-0x0000000000468000-memory.dmp

Filesize
1.1MB

Download
memory/1428-63-0x0000000000000000-mapping.dmp

Download
memory/1428-65-0x0000000001200000-0x0000000001318000-memory.dmp

Filesize
1.1MB

Download
memory/1468-59-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download