dcrat | b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

General

Target

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Size

1.1MB
MD5

8d491e642b1402ee5bf8d1417c437da1
SHA1

cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256

b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512

a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
SSDEEP

24576:AJ8kuxCAZLI3rjRUfM+7HeWhUsus8k9bYUE/oXc02+4:Zdqi7j3E/oM0R

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4116	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3500-133-0x00000000004A0000-0x00000000005C2000-memory.dmp	dcrat
C:\Users\sihost.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3852 RuntimeBroker.exe

pid	process
3852	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190 = "\"C:\\odt\\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DmNotificationBroker\\RuntimeBroker.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\ppcRsopCompSchema\\unsecapp.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Documents and Settings\\sihost.exe\""	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Drops file in System32 directory 4 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
File created	C:\Windows\System32\DmNotificationBroker\RuntimeBroker.exe	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File created	C:\Windows\System32\DmNotificationBroker\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File created	C:\Windows\System32\wbem\ppcRsopCompSchema\unsecapp.exe	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
File created	C:\Windows\System32\wbem\ppcRsopCompSchema\29c1c3cc0f76855c7e7456076a4ffc27e4947119	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3268 schtasks.exe
4776 schtasks.exe
3016 schtasks.exe
4196 schtasks.exe
1320 schtasks.exe
1936 schtasks.exe

pid	process
3268	schtasks.exe
4776	schtasks.exe
3016	schtasks.exe
4196	schtasks.exe
1320	schtasks.exe
1936	schtasks.exe

Modifies registry class 1 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeRuntimeBroker.exe

pid process

3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
3852 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Token: SeDebugPrivilege 3852 RuntimeBroker.exe

pid	process
3500	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
3852	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	3500	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Token: SeDebugPrivilege	3852	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.execmd.exe

description	pid	process	target process
PID 3500 wrote to memory of 4736	3500	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe	cmd.exe
PID 3500 wrote to memory of 4736	3500	B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe	cmd.exe
PID 4736 wrote to memory of 312	4736	cmd.exe	chcp.com
PID 4736 wrote to memory of 312	4736	cmd.exe	chcp.com
PID 4736 wrote to memory of 224	4736	cmd.exe	w32tm.exe
PID 4736 wrote to memory of 224	4736	cmd.exe	w32tm.exe
PID 4736 wrote to memory of 3852	4736	cmd.exe	RuntimeBroker.exe
PID 4736 wrote to memory of 3852	4736	cmd.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
"C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FwdOhaSqLE.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:224

C:\Recovery\WindowsRE\RuntimeBroker.exe
"C:\Recovery\WindowsRE\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DmNotificationBroker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\ppcRsopCompSchema\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190" /sc ONLOGON /tr "'C:\odt\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
1.1MB

MD5
8d491e642b1402ee5bf8d1417c437da1

SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4

SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
1.1MB

MD5
8d491e642b1402ee5bf8d1417c437da1

SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4

SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwdOhaSqLE.bat
Filesize
255B

MD5
7a3207c8978ebe5a93df76024e8bd415

SHA1
9eef60c1f199e47220d225c96e498297bd74d56a

SHA256
d0a668c5342a130e9809d14414c1c913f92a50cc10a95efb4019da7e70c4a62e

SHA512
ae57e16a64ce8df92310773fc3e8a7ff54fba76e32c6b39e168adc66a09b34814fac36a6de6e07b2d8e2e43de18daa4342681273c812b04e6ab99a3fcd71d52a

Download Submit
C:\Users\sihost.exe
Filesize
1.1MB

MD5
8d491e642b1402ee5bf8d1417c437da1

SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4

SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72

SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377

Download Submit
memory/3500-133-0x00000000004A0000-0x00000000005C2000-memory.dmp

Filesize
1.1MB

Download
memory/3500-134-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads