dcrat | 2f0cdc7d4ba53c01c835c4f1dfd15d7bd86f96ed767a279cb9c8529b44cd4931

General

Target

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Size

2.4MB
MD5

0e444044fdfea512ca18fc3396abb65b
SHA1

8b601ccad5b2a76967c0ca7579dc13d092307f34
SHA256

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA512

7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
SSDEEP

49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	5096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	5096	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3468-133-0x0000000000DA0000-0x0000000001018000-memory.dmp	dcrat
C:\Program Files\MSBuild\SearchApp.exe	dcrat
C:\Program Files\MSBuild\SearchApp.exe	dcrat
C:\Program Files\MSBuild\SearchApp.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Executes dropped EXE 1 IoCs

Processes:

SearchApp.exe

pid process

3480 SearchApp.exe

pid	process
3480	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 5 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	ioc	process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\MSBuild\SearchApp.exe	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
File created	C:\Program Files\MSBuild\38384e6a620884	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3508 schtasks.exe
4640 schtasks.exe
4256 schtasks.exe
392 schtasks.exe
3320 schtasks.exe
3488 schtasks.exe

pid	process
3508	schtasks.exe
4640	schtasks.exe
4256	schtasks.exe
392	schtasks.exe
3320	schtasks.exe
3488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exe

pid	process
3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe
3480	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exe

description	pid	process
Token: SeDebugPrivilege	3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Token: SeDebugPrivilege	3480	SearchApp.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

description	pid	process	target process
PID 3468 wrote to memory of 3480	3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	SearchApp.exe
PID 3468 wrote to memory of 3480	3468	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe	SearchApp.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe
"C:\Users\Admin\AppData\Local\Temp\3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3468

C:\Program Files\MSBuild\SearchApp.exe
"C:\Program Files\MSBuild\SearchApp.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\SearchApp.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Program Files\MSBuild\SearchApp.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Program Files\MSBuild\SearchApp.exe
Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
memory/3468-133-0x0000000000DA0000-0x0000000001018000-memory.dmp

Filesize
2.5MB

Download
memory/3468-134-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/3468-135-0x000000001CF20000-0x000000001CF70000-memory.dmp

Filesize
320KB

Download
memory/3480-151-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/3480-152-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads