dcrat | 90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

General

Target

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Size

828KB
MD5

ece82b00b9400f1d09a763853964e291
SHA1

b1b36fcd10ff7833f9bb430ea371df5d295498af
SHA256

90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57
SHA512

52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519
SSDEEP

12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	548	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2264-133-0x00000000005C0000-0x0000000000696000-memory.dmp	dcrat
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe	dcrat
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe	dcrat
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

4436 sppsvc.exe

pid	process
4436	sppsvc.exe

Drops file in Program Files directory 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Drops file in Windows directory 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Windows\SoftwareDistribution\SIH\eng\0a1fd5f707cd16	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3984	schtasks.exe
452	schtasks.exe
3896	schtasks.exe
2516	schtasks.exe
604	schtasks.exe
4652	schtasks.exe
1052	schtasks.exe
792	schtasks.exe
5064	schtasks.exe
1068	schtasks.exe
2932	schtasks.exe
4396	schtasks.exe

Modifies registry class 1 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exesppsvc.exe

pid	process
2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
4436	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exesppsvc.exe

description pid process

Token: SeDebugPrivilege 2264 90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege 4436 sppsvc.exe

description	pid	process
Token: SeDebugPrivilege	2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege	4436	sppsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.execmd.exe

description	pid	process	target process
PID 2264 wrote to memory of 3956	2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	cmd.exe
PID 2264 wrote to memory of 3956	2264	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	cmd.exe
PID 3956 wrote to memory of 1440	3956	cmd.exe	w32tm.exe
PID 3956 wrote to memory of 1440	3956	cmd.exe	w32tm.exe
PID 3956 wrote to memory of 4436	3956	cmd.exe	sppsvc.exe
PID 3956 wrote to memory of 4436	3956	cmd.exe	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
"C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NdM2gnaJii.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1440

C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe
"C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NdM2gnaJii.bat
Filesize
215B

MD5
505edd26ce4405166a1d114c2053c932

SHA1
9b634c1c47f9f275f034a54b52f0424fe1b41a17

SHA256
ab3964c69982b55cee022d78cd3b51e8bac572fa58b1a170be210ffa30a3b416

SHA512
04dc3ac2e35bd4c85785aba99841dbd0c05b883760b529772732642a7104a71074456c9346e8c8d10068025f2886484ebc20b8fac52bc4fcab730e203bd1ef46

Download Submit
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Windows\SoftwareDistribution\SIH\eng\sppsvc.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
memory/2264-133-0x00000000005C0000-0x0000000000696000-memory.dmp

Filesize
856KB

Download
memory/2264-136-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/4436-152-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads