dcrat | 9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

General

Target

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Size

1.1MB
MD5

ba182fd81a486ddb460723be522ce562
SHA1

5dc2ad0fa9c62f91ecae3322d433640694248023
SHA256

9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d
SHA512

077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398
SSDEEP

24576:G4VHpBN/oi3FLVAdz3+H1jGt/OzwiI6bHeWsgFFNhtA:G4BpwiVRVjGJfuKWsgFLht

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	692	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1832-54-0x00000000002F0000-0x0000000000416000-memory.dmp	dcrat
C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	dcrat
C:\Windows\en-US\sppsvc.exe	dcrat
C:\Windows\en-US\sppsvc.exe	dcrat
behavioral1/memory/1172-79-0x0000000000D70000-0x0000000000E96000-memory.dmp	dcrat
behavioral1/memory/1172-80-0x000000001AF90000-0x000000001B010000-memory.dmp	dcrat
behavioral1/memory/1172-81-0x000000001AF90000-0x000000001B010000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

1172 sppsvc.exe

pid	process
1172	sppsvc.exe

Drops file in Program Files directory 6 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\ja-JP\b75386f1303e64	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\smss.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\69ddcba757bf72	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Adobe\7c04e9fe579385	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files\Windows Mail\ja-JP\taskhost.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Drops file in Windows directory 8 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
File created	C:\Windows\schemas\TSWorkSpace\sppsvc.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\en-US\sppsvc.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\en-US\0a1fd5f707cd16	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\L2Schemas\csrss.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\DigitalLocker\ja-JP\taskhost.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\DigitalLocker\ja-JP\b75386f1303e64	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
376	schtasks.exe
1776	schtasks.exe
1852	schtasks.exe
872	schtasks.exe
1624	schtasks.exe
1600	schtasks.exe
596	schtasks.exe
612	schtasks.exe
1504	schtasks.exe
1148	schtasks.exe
456	schtasks.exe
1856	schtasks.exe
1716	schtasks.exe
1736	schtasks.exe
1472	schtasks.exe
1936	schtasks.exe
1416	schtasks.exe
1864	schtasks.exe
2036	schtasks.exe
884	schtasks.exe
1608	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

1172 sppsvc.exe

pid	process
1172	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exesppsvc.exe

pid	process
1832	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe
1172	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exesppsvc.exe

description pid process

Token: SeDebugPrivilege 1832 9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Token: SeDebugPrivilege 1172 sppsvc.exe

description	pid	process
Token: SeDebugPrivilege	1832	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Token: SeDebugPrivilege	1172	sppsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1384	1832	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	cmd.exe
PID 1832 wrote to memory of 1384	1832	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	cmd.exe
PID 1832 wrote to memory of 1384	1832	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	cmd.exe
PID 1384 wrote to memory of 1204	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 1204	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 1204	1384	cmd.exe	w32tm.exe
PID 1384 wrote to memory of 1172	1384	cmd.exe	sppsvc.exe
PID 1384 wrote to memory of 1172	1384	cmd.exe	sppsvc.exe
PID 1384 wrote to memory of 1172	1384	cmd.exe	sppsvc.exe
PID 1384 wrote to memory of 1172	1384	cmd.exe	sppsvc.exe
PID 1384 wrote to memory of 1172	1384	cmd.exe	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
"C:\Users\Admin\AppData\Local\Temp\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yk6iKI49Tf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1204

C:\Windows\en-US\sppsvc.exe
"C:\Windows\en-US\sppsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9E58D61752C75CE86ABC03005F0C75D9E2CF8218A52459" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9E58D61752C75CE86ABC03005F0C75D9E2CF8218A52459" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
C:\Users\Admin\AppData\Local\Temp\yk6iKI49Tf.bat
Filesize
192B

MD5
2e4865b3869b413d3f3db35aabc6f693

SHA1
cfc1d99d8f6906d8cea54b0a97b9e3532b3eaa09

SHA256
7e6902a72b541be3464f9145ea199781931bb8eccc2c0f2878424dc570d3700c

SHA512
d2f83e8a4c4a92b12556cbf1ca09c7fa32923c9d40f430a149bca1ad67618c0d28bf2920fe1b9da45a91844a4d3590aa8638d0638502dd440f28cb432743e5bd

Download Submit
C:\Windows\en-US\sppsvc.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
C:\Windows\en-US\sppsvc.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
memory/1172-79-0x0000000000D70000-0x0000000000E96000-memory.dmp

Filesize
1.1MB

Download
memory/1172-80-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1172-81-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/1832-54-0x00000000002F0000-0x0000000000416000-memory.dmp

Filesize
1.1MB

Download
memory/1832-55-0x000000001A8F0000-0x000000001A970000-memory.dmp

Filesize
512KB

Download
memory/1832-56-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1832-57-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads