dcrat | 1fd9be727b7e58a9bb3fce45e8bd8925d471725ca2a86e102e2adb44da28e5c7

Analysis

max time kernel
52s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23726a41d7c42dfbec508e8203659e41.exe
Size

2.5MB
MD5

23726a41d7c42dfbec508e8203659e41
SHA1

f17e7dd847cbdff1743301b15a567116e5a56cb0
SHA256

1fd9be727b7e58a9bb3fce45e8bd8925d471725ca2a86e102e2adb44da28e5c7
SHA512

80dd3c1bb73b350d78c3638a5e970430fd5fcd1a05023b089c1097ca5593e32dddcc749f96f48b5576d2441d423c5e8aa8a1a575dd5a15c2db2b748c9fd78eff
SSDEEP

49152:tWMazWNh42R1Wtm+DEGZHFUNxD16rtlqsC0btgzPZ+hT7cG:tWMaiNpnsJSjDAhb2zPZSIG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1664	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1664	schtasks.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\componentRuntimeHostDhcp\portcomponentcrt.exe	dcrat
\componentRuntimeHostDhcp\portcomponentcrt.exe	dcrat
C:\componentRuntimeHostDhcp\portcomponentcrt.exe	dcrat
\componentRuntimeHostDhcp\portcomponentcrt.exe	dcrat
behavioral1/memory/1856-73-0x00000000008B0000-0x0000000000A02000-memory.dmp	dcrat
C:\componentRuntimeHostDhcp\explorer.exe	dcrat
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe	dcrat
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe	dcrat
behavioral1/memory/1696-93-0x0000000001170000-0x00000000012C2000-memory.dmp	dcrat
behavioral1/memory/1696-94-0x000000001B1E0000-0x000000001B260000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

portcomponentcrt.exespoolsv.exe

pid process

1856 portcomponentcrt.exe
1696 spoolsv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1524 cmd.exe
1524 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

23726a41d7c42dfbec508e8203659e41.exe

pid process

1204 23726a41d7c42dfbec508e8203659e41.exe
1204 23726a41d7c42dfbec508e8203659e41.exe

pid	process
1524	cmd.exe
1524	cmd.exe

pid	process
1204	23726a41d7c42dfbec508e8203659e41.exe
1204	23726a41d7c42dfbec508e8203659e41.exe

Drops file in Windows directory 3 IoCs

Processes:

portcomponentcrt.exe

description	ioc	process
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe	portcomponentcrt.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe	portcomponentcrt.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\f3b6ecef712a24	portcomponentcrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1484	schtasks.exe
1652	schtasks.exe
1832	schtasks.exe
428	schtasks.exe
1464	schtasks.exe
1620	schtasks.exe
836	schtasks.exe
1752	schtasks.exe
920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

portcomponentcrt.exespoolsv.exe

pid	process
1856	portcomponentcrt.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

portcomponentcrt.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 1856 portcomponentcrt.exe
Token: SeDebugPrivilege 1696 spoolsv.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

23726a41d7c42dfbec508e8203659e41.exe

pid process

1204 23726a41d7c42dfbec508e8203659e41.exe

description	pid	process
Token: SeDebugPrivilege	1856	portcomponentcrt.exe
Token: SeDebugPrivilege	1696	spoolsv.exe

pid	process
1204	23726a41d7c42dfbec508e8203659e41.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

23726a41d7c42dfbec508e8203659e41.exeWScript.execmd.exeportcomponentcrt.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 268	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 268	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 268	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 268	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 1680	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 1680	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 1680	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 1204 wrote to memory of 1680	1204	23726a41d7c42dfbec508e8203659e41.exe	WScript.exe
PID 268 wrote to memory of 1524	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 1524	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 1524	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 1524	268	WScript.exe	cmd.exe
PID 1524 wrote to memory of 1856	1524	cmd.exe	portcomponentcrt.exe
PID 1524 wrote to memory of 1856	1524	cmd.exe	portcomponentcrt.exe
PID 1524 wrote to memory of 1856	1524	cmd.exe	portcomponentcrt.exe
PID 1524 wrote to memory of 1856	1524	cmd.exe	portcomponentcrt.exe
PID 1856 wrote to memory of 1808	1856	portcomponentcrt.exe	cmd.exe
PID 1856 wrote to memory of 1808	1856	portcomponentcrt.exe	cmd.exe
PID 1856 wrote to memory of 1808	1856	portcomponentcrt.exe	cmd.exe
PID 1808 wrote to memory of 1556	1808	cmd.exe	w32tm.exe
PID 1808 wrote to memory of 1556	1808	cmd.exe	w32tm.exe
PID 1808 wrote to memory of 1556	1808	cmd.exe	w32tm.exe
PID 1808 wrote to memory of 1696	1808	cmd.exe	spoolsv.exe
PID 1808 wrote to memory of 1696	1808	cmd.exe	spoolsv.exe
PID 1808 wrote to memory of 1696	1808	cmd.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23726a41d7c42dfbec508e8203659e41.exe
"C:\Users\Admin\AppData\Local\Temp\23726a41d7c42dfbec508e8203659e41.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\componentRuntimeHostDhcp\lpjLL7oMJP803Xm.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\componentRuntimeHostDhcp\hr44gNf16S.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\componentRuntimeHostDhcp\portcomponentcrt.exe
"C:\componentRuntimeHostDhcp\portcomponentcrt.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph3I12I76T.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1556

C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe
"C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\componentRuntimeHostDhcp\file.vbs"
2⤵
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\componentRuntimeHostDhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ph3I12I76T.bat
Filesize
224B

MD5
ac0cafebc6a6a513ec71060878c6bd7d

SHA1
6c2283b34f3794b0b38ad9beea13961bd9d84e8a

SHA256
87f184a0232d8acc669b32cb0a79a99a144781bf491ba6feba5c1d0370545af4

SHA512
6306cf6bd862c0e31f827ccf596f9e1f85557d5d957ddd375fff973506d03070a01faa242ce26c488c0f0470cdd8c0ba10599972386a824a79b6908ea3652397

Download Submit
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
C:\componentRuntimeHostDhcp\explorer.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
C:\componentRuntimeHostDhcp\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\componentRuntimeHostDhcp\hr44gNf16S.bat
Filesize
50B

MD5
292670bfc4df6c8cf94113a795b130a0

SHA1
286ae057e8f0e6e4135c4990bb7f0d004f59eb33

SHA256
ffa0397c92b4feeb89622cf62d14fc2cb1e689916c4311a559290a30fb538377

SHA512
7b772ee73bfc014939f617a4c1bdd87e07dcdd3a8db548627eadd3615955346f15d9538f061b4f840796de6f06d0f04aa4bf2b09848ed8b6ff5c631149032c71

Download Submit
C:\componentRuntimeHostDhcp\lpjLL7oMJP803Xm.vbe
Filesize
211B

MD5
11aeb580adb4f6f0aad02aa48bf2c120

SHA1
470c2c2ff8339c3d696d9864f67874c766e90043

SHA256
bf79d01327c2d1770ea923d6f3bb3cdb55a37ac3556781f0d9c1a83409653092

SHA512
14a6c92a07b4a77980946b3168543065fb9094b4d119d9b56462949de9ac3781ee0d218d1b49310abfcb0df4766179f0b8ef396107eef40dfb4cb83bdae7666e

Download Submit
C:\componentRuntimeHostDhcp\portcomponentcrt.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
C:\componentRuntimeHostDhcp\portcomponentcrt.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
\componentRuntimeHostDhcp\portcomponentcrt.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
\componentRuntimeHostDhcp\portcomponentcrt.exe
Filesize
1.3MB

MD5
4cd6be6be55f6d3056c27a359d6b9204

SHA1
d98fd7fba7ac4796567ed69606affd9c188ded75

SHA256
6d2a8a1ad160fbd9a9aafbab1c73c7ee1b44cf75150305880ea3a2afa113c6af

SHA512
e12dba804d8ddd730185dce84a6de579bb5381bd5e22398362bd7acca6f5d1c1aebf4ee756b67a2401a91c96bbeb9dc9f13a79398022035dd2eee6867535fb28

Download Submit
memory/1204-65-0x0000000000940000-0x0000000000D25000-memory.dmp

Filesize
3.9MB

Download
memory/1696-93-0x0000000001170000-0x00000000012C2000-memory.dmp

Filesize
1.3MB

Download
memory/1696-94-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/1696-95-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/1856-76-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1856-77-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/1856-78-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1856-83-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1856-75-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/1856-74-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/1856-73-0x00000000008B0000-0x0000000000A02000-memory.dmp

Filesize
1.3MB

Download