dcrat | fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d

General

Target

PZCheat.exe
Size

1.5MB
MD5

164ba5ee6f6b30539e874248ccfa4c05
SHA1

6b14ed8dab712359453779f2896e1cbad78871d7
SHA256

fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d
SHA512

c9b2eef0e4499832f9c4eca8b503f17f4cc7589d0d2b12fe82572ad5df23e85cef9267bdc24928b7ac6df0fff70fe49d2422d6e9a549f07a74c8f9bd47892cfc
SSDEEP

24576:B2G/nvxW3WLRnhzLfSRyBWkNUk9tJIzxIq2+kt3S5wFAiQuwV4ilByjNTVu1:BbA3+p9SRyBW0Tty2E5wFzQuo4iupRu1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4876	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4452-140-0x00000000000B0000-0x000000000046C000-memory.dmp	dcrat
behavioral2/memory/4452-147-0x00000000000B0000-0x000000000046C000-memory.dmp	dcrat
behavioral2/memory/676-148-0x0000000000450000-0x000000000080C000-memory.dmp	dcrat
behavioral2/memory/676-149-0x0000000000450000-0x000000000080C000-memory.dmp	dcrat
behavioral2/memory/676-151-0x0000000000450000-0x000000000080C000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

containersavesCrt.exetaskhostw.exe

pid process

4452 containersavesCrt.exe
676 taskhostw.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PZCheat.exeWScript.execontainersavesCrt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	PZCheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	containersavesCrt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

containersavesCrt.exetaskhostw.exe

pid	process
4452	containersavesCrt.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe

Drops file in Program Files directory 3 IoCs

Processes:

containersavesCrt.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\taskhostw.exe	containersavesCrt.exe
File opened for modification	C:\Program Files\Uninstall Information\taskhostw.exe	containersavesCrt.exe
File created	C:\Program Files\Uninstall Information\ea9f0e6c9e2dcd	containersavesCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4932 schtasks.exe
1960 schtasks.exe
4120 schtasks.exe
1088 schtasks.exe
4428 schtasks.exe
4116 schtasks.exe
Modifies registry class 1 IoCs

Processes:

PZCheat.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings PZCheat.exe

pid	process
4932	schtasks.exe
1960	schtasks.exe
4120	schtasks.exe
1088	schtasks.exe
4428	schtasks.exe
4116	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	PZCheat.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

containersavesCrt.exetaskhostw.exe

pid	process
4452	containersavesCrt.exe
4452	containersavesCrt.exe
4452	containersavesCrt.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe
676	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

676 taskhostw.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

containersavesCrt.exetaskhostw.exe

description pid process

Token: SeDebugPrivilege 4452 containersavesCrt.exe
Token: SeDebugPrivilege 676 taskhostw.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

containersavesCrt.exetaskhostw.exe

pid process

4452 containersavesCrt.exe
676 taskhostw.exe

pid	process
676	taskhostw.exe

description	pid	process
Token: SeDebugPrivilege	4452	containersavesCrt.exe
Token: SeDebugPrivilege	676	taskhostw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PZCheat.exeWScript.execmd.execontainersavesCrt.exe

description	pid	process	target process
PID 4392 wrote to memory of 2196	4392	PZCheat.exe	WScript.exe
PID 4392 wrote to memory of 2196	4392	PZCheat.exe	WScript.exe
PID 4392 wrote to memory of 2196	4392	PZCheat.exe	WScript.exe
PID 2196 wrote to memory of 2760	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2760	2196	WScript.exe	cmd.exe
PID 2196 wrote to memory of 2760	2196	WScript.exe	cmd.exe
PID 2760 wrote to memory of 4452	2760	cmd.exe	containersavesCrt.exe
PID 2760 wrote to memory of 4452	2760	cmd.exe	containersavesCrt.exe
PID 2760 wrote to memory of 4452	2760	cmd.exe	containersavesCrt.exe
PID 4452 wrote to memory of 676	4452	containersavesCrt.exe	taskhostw.exe
PID 4452 wrote to memory of 676	4452	containersavesCrt.exe	taskhostw.exe
PID 4452 wrote to memory of 676	4452	containersavesCrt.exe	taskhostw.exe

C:\Users\Admin\AppData\Local\Temp\PZCheat.exe
"C:\Users\Admin\AppData\Local\Temp\PZCheat.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\surrogateContainerhostcrtDll\containersavesCrt.exe
"C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452

C:\Program Files\Uninstall Information\taskhostw.exe
"C:\Program Files\Uninstall Information\taskhostw.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\taskhostw.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\Program Files\Uninstall Information\taskhostw.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat

Filesize
55B

MD5
f1a7c3c3ddb14918973adcec0ca793e5

SHA1
cd8dc923af6be2083d0a41f69fb32c9a08b2ea7a

SHA256
ed360b14dbbe3a7a03e882f0bd9b892af8357642fcbb296e62bac96112d4a526

SHA512
472f2d9d775d7b3a9a17fc8327040438e591ffbaaf87be8353a4e02446bd5ee805ce39fa2c57f1b32ca6f971210fba6532d3b993b7f861a6dd49edb0986dbccf

Download Submit
C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe

Filesize
226B

MD5
6a5882c4cb8293cb361d7f95c51de59e

SHA1
48662867659024019cfc01e2e4731f9efaa83c67

SHA256
1ce3ab815dfa8ab817dab9bb42c012e940041735fa4f2064f780cd44b7a5c0a2

SHA512
e5c5940e4f1358688df06cb84ab1b9ea3a26a336ccbef7b02b0c40cb6477894855c8513f037ec602b4fce7a72f4a54b4f4ccf314437b595521aa4b3d4f21fe9f

Download Submit
memory/676-150-0x0000000000450000-0x000000000080C000-memory.dmp

Filesize
3.7MB

Download
memory/676-152-0x0000000006320000-0x0000000006360000-memory.dmp

Filesize
256KB

Download
memory/676-151-0x0000000000450000-0x000000000080C000-memory.dmp

Filesize
3.7MB

Download
memory/676-148-0x0000000000450000-0x000000000080C000-memory.dmp

Filesize
3.7MB

Download
memory/676-149-0x0000000000450000-0x000000000080C000-memory.dmp

Filesize
3.7MB

Download
memory/676-144-0x0000000000000000-mapping.dmp

Download
memory/676-153-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/2196-132-0x0000000000000000-mapping.dmp

Download
memory/2760-135-0x0000000000000000-mapping.dmp

Download
memory/4452-142-0x0000000006980000-0x0000000006A82000-memory.dmp

Filesize
1.0MB

Download
memory/4452-147-0x00000000000B0000-0x000000000046C000-memory.dmp

Filesize
3.7MB

Download
memory/4452-143-0x0000000006B00000-0x0000000006B66000-memory.dmp

Filesize
408KB

Download
memory/4452-141-0x0000000006B70000-0x0000000007114000-memory.dmp

Filesize
5.6MB

Download
memory/4452-140-0x00000000000B0000-0x000000000046C000-memory.dmp

Filesize
3.7MB

Download
memory/4452-139-0x00000000000B0000-0x000000000046C000-memory.dmp

Filesize
3.7MB

Download
memory/4452-136-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads