dcrat | aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41

General

Target

injector.exe
Size

4.1MB
MD5

05baef98bd302a685a7b0412341223ad
SHA1

3808f40778dd09ca2437e531725a48f1cbc34a50
SHA256

aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41
SHA512

93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf
SSDEEP

98304:phfEZMB8SQTr3cEA6Ql2GyzXCNHmCWK4DYq5Ek:/fEZQ8NTrMB6QlozyOYqWk

Score

10^/10

dcrat evasion infostealer rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	4456	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4456	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmp	dcrat
behavioral2/memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmp	dcrat
behavioral2/memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmp	dcrat
behavioral2/memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmp	dcrat
behavioral2/memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

injector.exesmss.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ injector.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	injector.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exeinjector.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	injector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	injector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

injector.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation injector.exe
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

3424 smss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	injector.exe

pid	process
3424	smss.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmp	themida
behavioral2/memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmp	themida
behavioral2/memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmp	themida
C:\Program Files\Common Files\Services\smss.exe	themida
C:\Program Files\Common Files\Services\smss.exe	themida
behavioral2/memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmp	themida
behavioral2/memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

injector.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	injector.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

injector.exesmss.exe

pid process

3252 injector.exe
3424 smss.exe

pid	process
3252	injector.exe
3424	smss.exe

Drops file in Program Files directory 4 IoCs

Processes:

injector.exe

description	ioc	process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe	injector.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\e6c9b481da804f	injector.exe
File opened for modification	C:\Program Files\Common Files\Services\smss.exe	injector.exe
File created	C:\Program Files\Common Files\Services\69ddcba757bf72	injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

264 schtasks.exe
908 schtasks.exe
1360 schtasks.exe
1344 schtasks.exe
600 schtasks.exe
112 schtasks.exe
Modifies registry class 1 IoCs

Processes:

injector.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings injector.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

injector.exesmss.exe

pid process

3252 injector.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
3424 smss.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

3424 smss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

injector.exesmss.exe

description pid process

Token: SeDebugPrivilege 3252 injector.exe
Token: SeDebugPrivilege 3424 smss.exe

pid	process
264	schtasks.exe
908	schtasks.exe
1360	schtasks.exe
1344	schtasks.exe
600	schtasks.exe
112	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	injector.exe

pid	process
3252	injector.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe
3424	smss.exe

pid	process
3424	smss.exe

description	pid	process
Token: SeDebugPrivilege	3252	injector.exe
Token: SeDebugPrivilege	3424	smss.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

injector.execmd.exew32tm.exe

description	pid	process	target process
PID 3252 wrote to memory of 3132	3252	injector.exe	cmd.exe
PID 3252 wrote to memory of 3132	3252	injector.exe	cmd.exe
PID 3252 wrote to memory of 3132	3252	injector.exe	cmd.exe
PID 3132 wrote to memory of 2808	3132	cmd.exe	w32tm.exe
PID 3132 wrote to memory of 2808	3132	cmd.exe	w32tm.exe
PID 3132 wrote to memory of 2808	3132	cmd.exe	w32tm.exe
PID 2808 wrote to memory of 3836	2808	w32tm.exe	w32tm.exe
PID 2808 wrote to memory of 3836	2808	w32tm.exe	w32tm.exe
PID 3132 wrote to memory of 3424	3132	cmd.exe	smss.exe
PID 3132 wrote to memory of 3424	3132	cmd.exe	smss.exe
PID 3132 wrote to memory of 3424	3132	cmd.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BZzno4kruI.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:3836

C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\smss.exe
Filesize
4.1MB

MD5
05baef98bd302a685a7b0412341223ad

SHA1
3808f40778dd09ca2437e531725a48f1cbc34a50

SHA256
aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41

SHA512
93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf

Download Submit
C:\Program Files\Common Files\Services\smss.exe
Filesize
4.1MB

MD5
05baef98bd302a685a7b0412341223ad

SHA1
3808f40778dd09ca2437e531725a48f1cbc34a50

SHA256
aa87eead64e484f0a37e6f0420b9b327eb983edc4f417b51b1ecd400bddd7c41

SHA512
93e5f1c5176c473823bcb5e9ecbfffdd789962b401dbd7f7212126dcd3613f3a8a9005eee175590c4040b7a39c7288e3c47028700f579ab85d5b8b67c3d1cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BZzno4kruI.bat
Filesize
212B

MD5
790cb5657b7fe9784bc864d4dd7fd46a

SHA1
14ad4a02117e0162ea8dd603fc3a166bc77fd749

SHA256
2e8417bbc2dfa72023362749ef153efd89c281f5d7fa81502d327760cbfe5cc4

SHA512
32539c90e663941cb1a8b8c7bff70a0581616c9f8ed9efda6e19fee0771ded3e97e1cd738ae8bbe0bb0fba35aa2c28e95118f71f6322fc7f4faa63d74075da02

Download Submit
memory/3252-139-0x00000000040C0000-0x00000000040D0000-memory.dmp

Filesize
64KB

Download
memory/3252-155-0x0000000000D60000-0x00000000016DA000-memory.dmp

Filesize
9.5MB

Download
memory/3252-140-0x0000000006970000-0x00000000069C0000-memory.dmp

Filesize
320KB

Download
memory/3252-141-0x0000000007400000-0x0000000007492000-memory.dmp

Filesize
584KB

Download
memory/3252-142-0x0000000008AB0000-0x0000000008FDC000-memory.dmp

Filesize
5.2MB

Download
memory/3252-145-0x0000000008580000-0x00000000085E6000-memory.dmp

Filesize
408KB

Download
memory/3252-138-0x0000000006DA0000-0x0000000007344000-memory.dmp

Filesize
5.6MB

Download
memory/3252-133-0x0000000000D60000-0x00000000016DA000-memory.dmp

Filesize
9.5MB

Download
memory/3252-137-0x0000000000D60000-0x00000000016DA000-memory.dmp

Filesize
9.5MB

Download
memory/3252-136-0x0000000000D60000-0x00000000016DA000-memory.dmp

Filesize
9.5MB

Download
memory/3424-159-0x0000000000DC0000-0x000000000173A000-memory.dmp

Filesize
9.5MB

Download
memory/3424-162-0x0000000000DC0000-0x000000000173A000-memory.dmp

Filesize
9.5MB

Download
memory/3424-163-0x0000000000DC0000-0x000000000173A000-memory.dmp

Filesize
9.5MB

Download
memory/3424-165-0x0000000000DC0000-0x000000000173A000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads