dcrat | 90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

General

Target

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Size

828KB
MD5

ece82b00b9400f1d09a763853964e291
SHA1

b1b36fcd10ff7833f9bb430ea371df5d295498af
SHA256

90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57
SHA512

52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519
SSDEEP

12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3080	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3080	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/644-133-0x0000000000E30000-0x0000000000F06000-memory.dmp	dcrat
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe	dcrat
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

4164 spoolsv.exe

pid	process
4164	spoolsv.exe

Drops file in Program Files directory 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\f3b6ecef712a24	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2300	schtasks.exe
1644	schtasks.exe
3876	schtasks.exe
3944	schtasks.exe
1780	schtasks.exe
2600	schtasks.exe
2824	schtasks.exe
2836	schtasks.exe
1932	schtasks.exe

Modifies registry class 1 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exespoolsv.exe

pid	process
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
4164	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 644 90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege 4164 spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege	4164	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 220	644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	cmd.exe
PID 644 wrote to memory of 220	644	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	cmd.exe
PID 220 wrote to memory of 3420	220	cmd.exe	w32tm.exe
PID 220 wrote to memory of 3420	220	cmd.exe	w32tm.exe
PID 220 wrote to memory of 4164	220	cmd.exe	spoolsv.exe
PID 220 wrote to memory of 4164	220	cmd.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
"C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NuhMKLZWcJ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3420

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\spoolsv.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuhMKLZWcJ.bat
Filesize
243B

MD5
c9eaf50372f52b7f29f434b3830e1c24

SHA1
befe7abc11c964df842c0ed8d83df5b724db6afb

SHA256
886537fd5dd2c264a384fd78a78f51f92f83c556fe9603597a9ec05f979d8bc8

SHA512
09f2b4bfb2f5db5b48753894c71c22eaaf66c41728bd27eb259a8a572c04782bbd56752c67335d3423b88f66d9150b8f31cb7307593ee2674747c255acbe0aec

Download Submit
memory/644-133-0x0000000000E30000-0x0000000000F06000-memory.dmp

Filesize
856KB

Download
memory/644-134-0x000000001B970000-0x000000001B980000-memory.dmp

Filesize
64KB

Download
memory/4164-150-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads