dcrat | ea8525ed14bdc8f98f18f97b86b2853749eb99f1a517b7dfed4257dae18a7ce9

General

Target

HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
Size

1.4MB
MD5

86855a4c90ef303681ee3d2139033042
SHA1

8492cdedf5f5a61c08582607c1bbede20c325020
SHA256

ea8525ed14bdc8f98f18f97b86b2853749eb99f1a517b7dfed4257dae18a7ce9
SHA512

a091565a282bb7bba6a3c23fbb198d9eb59cde9a9d8c2877eb25b690468c0696bc9ef45fd47e2c0930e2aee10b953b308305ea8f0e2729c385127c581be95d79
SSDEEP

24576:q2G/nvxW3WuU7l19j0EF+b9ZEFMwHjM7pyscuEHvbp/lgN+4:qbA3Q2BZEHw7pWIU

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeHEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeschtasks.exeschtasks.exe

pid	process
4644	schtasks.exe
3156	schtasks.exe
4204	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
4548	schtasks.exe
3360	schtasks.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3004	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe	dcrat
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe	dcrat
behavioral2/memory/4476-146-0x0000000000720000-0x000000000083A000-memory.dmp	dcrat
C:\Windows\SysWOW64\nlhtml\cmd.exe	dcrat
C:\Windows\System32\WPDSp\fontdrvhost.exe	dcrat
C:\Windows\System32\WPDSp\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeWScript.exeFontDriverSessionintoRuntimenet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	FontDriverSessionintoRuntimenet.exe

Executes dropped EXE 2 IoCs

Processes:

FontDriverSessionintoRuntimenet.exefontdrvhost.exe

pid process

4476 FontDriverSessionintoRuntimenet.exe
4648 fontdrvhost.exe

pid	process
4476	FontDriverSessionintoRuntimenet.exe
4648	fontdrvhost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FontDriverSessionintoRuntimenet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Migration\\WTR\\backgroundTaskHost.exe\""	FontDriverSessionintoRuntimenet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WPDSp\\fontdrvhost.exe\""	FontDriverSessionintoRuntimenet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\FontDriverSession\\csrss.exe\""	FontDriverSessionintoRuntimenet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\setupact\\sysmon.exe\""	FontDriverSessionintoRuntimenet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\nlhtml\\cmd.exe\""	FontDriverSessionintoRuntimenet.exe

Drops file in System32 directory 4 IoCs

Processes:

FontDriverSessionintoRuntimenet.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nlhtml\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\System32\WPDSp\fontdrvhost.exe	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\System32\WPDSp\5b884080fd4f94e2695da25c503f9e33b9605b83	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\SysWOW64\nlhtml\cmd.exe	FontDriverSessionintoRuntimenet.exe

Drops file in Windows directory 5 IoCs

Processes:

FontDriverSessionintoRuntimenet.exe

description	ioc	process
File created	C:\Windows\Migration\WTR\backgroundTaskHost.exe	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\Migration\WTR\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\setupact\sysmon.exe	FontDriverSessionintoRuntimenet.exe
File opened for modification	C:\Windows\setupact\sysmon.exe	FontDriverSessionintoRuntimenet.exe
File created	C:\Windows\setupact\121e5b5079f7c0e46d90f99b3864022518bbbda9	FontDriverSessionintoRuntimenet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4204 schtasks.exe
4548 schtasks.exe
3360 schtasks.exe
4644 schtasks.exe
3156 schtasks.exe

pid	process
4204	schtasks.exe
4548	schtasks.exe
3360	schtasks.exe
4644	schtasks.exe
3156	schtasks.exe

Modifies registry class 1 IoCs

Processes:

HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

FontDriverSessionintoRuntimenet.exefontdrvhost.exe

pid process

4476 FontDriverSessionintoRuntimenet.exe
4476 FontDriverSessionintoRuntimenet.exe
4476 FontDriverSessionintoRuntimenet.exe
4648 fontdrvhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FontDriverSessionintoRuntimenet.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 4476 FontDriverSessionintoRuntimenet.exe
Token: SeDebugPrivilege 4648 fontdrvhost.exe

pid	process
4476	FontDriverSessionintoRuntimenet.exe
4476	FontDriverSessionintoRuntimenet.exe
4476	FontDriverSessionintoRuntimenet.exe
4648	fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	4476	FontDriverSessionintoRuntimenet.exe
Token: SeDebugPrivilege	4648	fontdrvhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exeWScript.execmd.exeFontDriverSessionintoRuntimenet.exe

description	pid	process	target process
PID 4412 wrote to memory of 1500	4412	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe	WScript.exe
PID 4412 wrote to memory of 1500	4412	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe	WScript.exe
PID 4412 wrote to memory of 1500	4412	HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe	WScript.exe
PID 1500 wrote to memory of 2372	1500	WScript.exe	cmd.exe
PID 1500 wrote to memory of 2372	1500	WScript.exe	cmd.exe
PID 1500 wrote to memory of 2372	1500	WScript.exe	cmd.exe
PID 2372 wrote to memory of 4476	2372	cmd.exe	FontDriverSessionintoRuntimenet.exe
PID 2372 wrote to memory of 4476	2372	cmd.exe	FontDriverSessionintoRuntimenet.exe
PID 4476 wrote to memory of 4648	4476	FontDriverSessionintoRuntimenet.exe	fontdrvhost.exe
PID 4476 wrote to memory of 4648	4476	FontDriverSessionintoRuntimenet.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.LightStone.gen-ea8525ed14b.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FontDriverSession\cPZCKnDLEbcUj6.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FontDriverSession\eD4OHy4urtKXgDWHI7.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe
"C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\System32\WPDSp\fontdrvhost.exe
"C:\Windows\System32\WPDSp\fontdrvhost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\setupact\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\nlhtml\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\WPDSp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\FontDriverSession\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe
Filesize
1.1MB

MD5
0cf708a5d6a1798ad4044479830c15e9

SHA1
4f631e26309dd21716b465f962e69fdfa9b30727

SHA256
2a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5

SHA512
7385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd

Download Submit
C:\FontDriverSession\FontDriverSessionintoRuntimenet.exe
Filesize
1.1MB

MD5
0cf708a5d6a1798ad4044479830c15e9

SHA1
4f631e26309dd21716b465f962e69fdfa9b30727

SHA256
2a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5

SHA512
7385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd

Download Submit
C:\FontDriverSession\cPZCKnDLEbcUj6.vbe
Filesize
212B

MD5
208d2c7db202616f22fea0fde88b7440

SHA1
6bc69d8e5b730bd7f0665bc7f4e181b68af0914d

SHA256
bc958bcffdc07a6c0c86d91d1bfdfb2cbf6e552a6677ba6f89251620f3cb0b10

SHA512
84cde4d5b4c1285dc8afca4bd4a0a415417b47befe6b38ddb3b529b3142d8bb7c61ef4f6176d958931b5df663f43dd92f2385d957999e2e379bcb1820e75fa33

Download Submit
C:\FontDriverSession\eD4OHy4urtKXgDWHI7.bat
Filesize
58B

MD5
efd9703e54aad815ef609078225b11bd

SHA1
91471d48f477f0f8978cbee215f791ac37148274

SHA256
a9227a123265509b3d0ad51aa9cf6d8a091c86d8acaa922251351ee173ee7838

SHA512
3b4b002e0de1669cd0693a15f5d4653f5d3f6d16409c790066ca8d91e9658052e7182342034a8a6bbb539884c32005b58b9ce579f581753b3f682a4fce5996f5

Download Submit
C:\Windows\SysWOW64\nlhtml\cmd.exe
Filesize
1.1MB

MD5
0cf708a5d6a1798ad4044479830c15e9

SHA1
4f631e26309dd21716b465f962e69fdfa9b30727

SHA256
2a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5

SHA512
7385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd

Download Submit
C:\Windows\System32\WPDSp\fontdrvhost.exe
Filesize
1.1MB

MD5
0cf708a5d6a1798ad4044479830c15e9

SHA1
4f631e26309dd21716b465f962e69fdfa9b30727

SHA256
2a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5

SHA512
7385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd

Download Submit
C:\Windows\System32\WPDSp\fontdrvhost.exe
Filesize
1.1MB

MD5
0cf708a5d6a1798ad4044479830c15e9

SHA1
4f631e26309dd21716b465f962e69fdfa9b30727

SHA256
2a4fe636c4e72fe06ff8371024951b163954e5b1d35970eaf26540ffa332a7e5

SHA512
7385586c8ad62384bb0e66932e2e0d62afdc1ec357b8a97e71778557961c8939a055bed96382f8b3e89af41b7da37e9805471dce7ed2ed31fb25865c368e30dd

Download Submit
memory/4476-146-0x0000000000720000-0x000000000083A000-memory.dmp

Filesize
1.1MB

Download
memory/4476-147-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4648-169-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads