dcrat | f32bfcf53e2f11c5651fe5d4124d9dce1cb071fa7e5fc0b20fa6885a8de34af7

General

Target

Roblox Game Manager/Roblox Game Manager.exe
Size

1.2MB
MD5

0c5490df9bc38516e0caf3671cfe53b3
SHA1

6ed899171d1d5e3badea986eff1d8fbe39191511
SHA256

368f78866f6d64f9f03a7caf900fad3e21a7d2c84dbe34d6ae1dc5f8264e4077
SHA512

6e46bea29c4586730b8265d59d1e86aa963bedafc5f92dc42564d61a0d3fb0da7ab1cdaaf6d40a5ed2bdb976f4164da9e83054ffe6b499f10bf2c5b79d2394b9
SSDEEP

24576:U2hXPc/uRkQW40y/v7ySTtA17c09ngjl8ShwTwtZiNpoRNm9VMgP4Tue61bi:bcbh3AqNxShwT1xTi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3536-134-0x0000000000400000-0x000000000051C000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Roblox Game Manager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\portsaves.exe"	Roblox Game Manager.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	Roblox Game Manager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Roblox Game Manager.exe

description pid process target process

PID 220 set thread context of 3536 220 Roblox Game Manager.exe RegSvcs.exe
Modifies registry class 1 IoCs

Processes:

RegSvcs.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegSvcs.exe

pid process

3536 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3536 RegSvcs.exe

description	pid	process	target process
PID 220 set thread context of 3536	220	Roblox Game Manager.exe	RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	RegSvcs.exe

pid	process
3536	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3536	RegSvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Roblox Game Manager.exeRegSvcs.execmd.exew32tm.exe

description	pid	process	target process
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 220 wrote to memory of 3536	220	Roblox Game Manager.exe	RegSvcs.exe
PID 3536 wrote to memory of 3040	3536	RegSvcs.exe	cmd.exe
PID 3536 wrote to memory of 3040	3536	RegSvcs.exe	cmd.exe
PID 3536 wrote to memory of 3040	3536	RegSvcs.exe	cmd.exe
PID 3040 wrote to memory of 3828	3040	cmd.exe	w32tm.exe
PID 3040 wrote to memory of 3828	3040	cmd.exe	w32tm.exe
PID 3040 wrote to memory of 3828	3040	cmd.exe	w32tm.exe
PID 3828 wrote to memory of 4152	3828	w32tm.exe	w32tm.exe
PID 3828 wrote to memory of 4152	3828	w32tm.exe	w32tm.exe
PID 3040 wrote to memory of 3348	3040	cmd.exe	RegSvcs.exe
PID 3040 wrote to memory of 3348	3040	cmd.exe	RegSvcs.exe
PID 3040 wrote to memory of 3348	3040	cmd.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Roblox Game Manager\Roblox Game Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Game Manager\Roblox Game Manager.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Drops file in Drivers directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:3348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
1KB

MD5
02b284f8be8630c20716b6c3c03e52e2

SHA1
466b4adf2f03b2c98895c689d6ffa434e1dac369

SHA256
2286804d48de386901cc18fcb499a236c7bea16ed8db850fc5e9cef2850e8cc0

SHA512
52e8cbf909814becb025c62c177d8f55f6a60df2f84296b174f18200e0e97b8ffa180c59f071b4318d239dc78a82afd4dac94a741107b4a4182473c43852a6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat
Filesize
222B

MD5
74a529f251b20befcf3f7c96d7c84083

SHA1
0f64a5e3ae253d92e65287a49252978abc46b0d8

SHA256
f0335dc969f43d77a771478a80997da774ea2bcc8b52fda16799f372d2dde557

SHA512
042d0643feb014f0dc4ea09924db8aef2747a7d8dabe8e654af8d905544dc4fd3b0cc0af0c6a1d91d1f959288fb604ca867c62e4208a3b9b5fbbf904e33ee7dd

Download Submit
memory/3348-149-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/3348-150-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/3536-134-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3536-135-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/3536-136-0x0000000006220000-0x00000000067C4000-memory.dmp

Filesize
5.6MB

Download
memory/3536-137-0x0000000005E90000-0x0000000005F22000-memory.dmp

Filesize
584KB

Download
memory/3536-138-0x0000000005E40000-0x0000000005E90000-memory.dmp

Filesize
320KB

Download
memory/3536-140-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/3536-144-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads