dcrat | 0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492

General

Target

Fortnite.exe
Size

1.1MB
MD5

f795b0bb519a53aa55f3a1f8b421708d
SHA1

18b0c53280f120d18e224ef389e21a09902da4f4
SHA256

0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
SHA512

d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
SSDEEP

24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4740	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\syscom32.exe	dcrat
C:\Windows\syscom32.exe	dcrat
behavioral1/memory/2628-135-0x0000000000EE0000-0x0000000000FB6000-memory.dmp	dcrat
C:\odt\ShellExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

syscom32.exedwm.exe

pid process

2628 syscom32.exe
3052 dwm.exe

Drops file in Windows directory 9 IoCs

Processes:

Fortnite.exesyscom32.exe

description	ioc	process
File created	C:\Windows\syscom32.exe	Fortnite.exe
File opened for modification	C:\Windows\syscom32.exe	Fortnite.exe
File created	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File created	C:\Windows\kkLuA.bat	Fortnite.exe
File opened for modification	C:\Windows\kkLuA.bat	Fortnite.exe
File created	C:\Windows\PrintDialog\pris\RuntimeBroker.exe	syscom32.exe
File created	C:\Windows\PrintDialog\pris\9e8d7a4ca61bd9	syscom32.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240568343	Fortnite.exe
File opened for modification	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3744	schtasks.exe
3116	schtasks.exe
1708	schtasks.exe
4040	schtasks.exe
4700	schtasks.exe
1564	schtasks.exe
1208	schtasks.exe
3572	schtasks.exe
3764	schtasks.exe
3780	schtasks.exe
2816	schtasks.exe
4720	schtasks.exe
4824	schtasks.exe
4836	schtasks.exe
2572	schtasks.exe

Modifies registry class 1 IoCs

Processes:

Fortnite.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings Fortnite.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3216 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	Fortnite.exe

pid	process
3216	reg.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

syscom32.exedwm.exe

pid	process
2628	syscom32.exe
2628	syscom32.exe
2628	syscom32.exe
2628	syscom32.exe
2628	syscom32.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe
3052	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

syscom32.exedwm.exe

description pid process

Token: SeDebugPrivilege 2628 syscom32.exe
Token: SeDebugPrivilege 3052 dwm.exe

description	pid	process
Token: SeDebugPrivilege	2628	syscom32.exe
Token: SeDebugPrivilege	3052	dwm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Fortnite.exeWScript.execmd.exesyscom32.exe

description	pid	process	target process
PID 2904 wrote to memory of 4188	2904	Fortnite.exe	WScript.exe
PID 2904 wrote to memory of 4188	2904	Fortnite.exe	WScript.exe
PID 2904 wrote to memory of 4188	2904	Fortnite.exe	WScript.exe
PID 4188 wrote to memory of 4976	4188	WScript.exe	cmd.exe
PID 4188 wrote to memory of 4976	4188	WScript.exe	cmd.exe
PID 4188 wrote to memory of 4976	4188	WScript.exe	cmd.exe
PID 4976 wrote to memory of 2628	4976	cmd.exe	syscom32.exe
PID 4976 wrote to memory of 2628	4976	cmd.exe	syscom32.exe
PID 2628 wrote to memory of 3052	2628	syscom32.exe	dwm.exe
PID 2628 wrote to memory of 3052	2628	syscom32.exe	dwm.exe
PID 4976 wrote to memory of 3216	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 3216	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 3216	4976	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\kkLuA.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\syscom32.exe
"C:\Windows\syscom32.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Recovery\WindowsRE\dwm.exe
"C:\Recovery\WindowsRE\dwm.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dwm.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Recovery\WindowsRE\dwm.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\kkLuA.bat
Filesize
137B

MD5
eddbf02b8f63229a6f4670d77d49f965

SHA1
84dc5aa13c3a7144742df74e28da6a7ad9177a69

SHA256
12646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae

SHA512
be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe
Filesize
189B

MD5
c7c7ffa475aef8dff75df4c55df974af

SHA1
ef0427f4f4091c69d488443079477b1d4416e9b2

SHA256
19a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16

SHA512
72fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66

Download Submit
C:\odt\ShellExperienceHost.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
memory/2628-135-0x0000000000EE0000-0x0000000000FB6000-memory.dmp

Filesize
856KB

Download
memory/2628-136-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/3052-152-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-153-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-154-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-155-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-156-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-157-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-158-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/3052-159-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads