dcrat | b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

General

Target

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Size

1.1MB
MD5

8d491e642b1402ee5bf8d1417c437da1
SHA1

cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256

b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512

a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
SSDEEP

24576:AJ8kuxCAZLI3rjRUfM+7HeWhUsus8k9bYUE/oXc02+4:Zdqi7j3E/oM0R

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	736	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-54-0x0000000000860000-0x0000000000982000-memory.dmp	dcrat
C:\Windows\splwow64\explorer.exe	dcrat
C:\Windows\splwow64\explorer.exe	dcrat
behavioral1/memory/1740-71-0x0000000000090000-0x00000000001B2000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1740 explorer.exe

pid	process
1740	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Start Menu\\System.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\MigAutoPlay\\lsm.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\splwow64\\explorer.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Drops file in System32 directory 3 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
File created	C:\Windows\System32\MigAutoPlay\lsm.exe	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File opened for modification	C:\Windows\System32\MigAutoPlay\lsm.exe	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File created	C:\Windows\System32\MigAutoPlay\101b941d020240259ca4912829b53995ad543df6	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Drops file in Windows directory 2 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
File created	C:\Windows\splwow64\explorer.exe	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File created	C:\Windows\splwow64\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

584 schtasks.exe
1160 schtasks.exe
328 schtasks.exe
1568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeexplorer.exe

pid process

1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
1740 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1212 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Token: SeDebugPrivilege 1740 explorer.exe

pid	process
584	schtasks.exe
1160	schtasks.exe
328	schtasks.exe
1568	schtasks.exe

pid	process
1212	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
1740	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1212	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Token: SeDebugPrivilege	1740	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 1764	1212	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe	cmd.exe
PID 1212 wrote to memory of 1764	1212	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe	cmd.exe
PID 1212 wrote to memory of 1764	1212	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe	cmd.exe
PID 1764 wrote to memory of 1600	1764	cmd.exe	chcp.com
PID 1764 wrote to memory of 1600	1764	cmd.exe	chcp.com
PID 1764 wrote to memory of 1600	1764	cmd.exe	chcp.com
PID 1764 wrote to memory of 1576	1764	cmd.exe	w32tm.exe
PID 1764 wrote to memory of 1576	1764	cmd.exe	w32tm.exe
PID 1764 wrote to memory of 1576	1764	cmd.exe	w32tm.exe
PID 1764 wrote to memory of 1740	1764	cmd.exe	explorer.exe
PID 1764 wrote to memory of 1740	1764	cmd.exe	explorer.exe
PID 1764 wrote to memory of 1740	1764	cmd.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
"C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zCpJr4a4Og.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1600

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1576

C:\Windows\splwow64\explorer.exe
"C:\Windows\splwow64\explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\MigAutoPlay\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\splwow64\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zCpJr4a4Og.bat
Filesize
248B

MD5
6da7f7b1f4b18589d0ba147bbda0821b

SHA1
4e68289d5e46301b08ec56b92a45feca1a7e6b67

SHA256
8050fc6a702e3359d8a4d847e5e8cf256060836525c150bb2d379c86aa5b888c

SHA512
ff1d1fc2ccf29c042053c11630b4d194bc2509b1e002a85de3da706806912a812e8eaa435f8cce401306365f42b004f33f86efcae397eb803c3012406d521119

Download Submit
C:\Windows\splwow64\explorer.exe
Filesize
1.1MB

MD5
8d491e642b1402ee5bf8d1417c437da1

SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4

SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377

Download Submit
C:\Windows\splwow64\explorer.exe
Filesize
1.1MB

MD5
8d491e642b1402ee5bf8d1417c437da1

SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4

SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377

Download Submit
memory/1212-54-0x0000000000860000-0x0000000000982000-memory.dmp

Filesize
1.1MB

Download
memory/1212-55-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/1740-71-0x0000000000090000-0x00000000001B2000-memory.dmp

Filesize
1.1MB

Download
memory/1740-72-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads