dcrat | d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98

General

Target

file.exe
Size

1.1MB
MD5

06eae25115858e2475c1bab16bae9585
SHA1

657cdc54121fa9baaae7cc944ed935e1eddf4ebc
SHA256

d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98
SHA512

2ad4ccbbf950dac84d2353b9d59e8d59415ec3f9bef1d226270ebc4f416489dc6c39b5c4725dd10316b2cbc6adc8bef3e7db8e430ed581444857db8e0d0c53d1
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbiYS3HzuWTEv3L9aCcyYiqlbl117n1k4Rq5zs:U2G/nvxW3Ww0t03THqRaCQJThLis

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4332	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4332	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providerwindriverHostDll\comNet.exe	dcrat
C:\providerwindriverHostDll\comNet.exe	dcrat
behavioral2/memory/3040-145-0x0000000000610000-0x00000000006E6000-memory.dmp	dcrat
C:\Users\Default\SearchApp.exe	dcrat
C:\Users\Default User\SearchApp.exe	dcrat
C:\Users\Default\SearchApp.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeWScript.execomNet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	comNet.exe

Executes dropped EXE 2 IoCs

Processes:

comNet.exeSearchApp.exe

pid process

3040 comNet.exe
1892 SearchApp.exe

Drops file in Program Files directory 3 IoCs

Processes:

comNet.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe	comNet.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe	comNet.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\5940a34987c991	comNet.exe

Drops file in Windows directory 2 IoCs

Processes:

comNet.exe

description ioc process

File created C:\Windows\PLA\Templates\unsecapp.exe comNet.exe
File created C:\Windows\PLA\Templates\29c1c3cc0f7685 comNet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\PLA\Templates\unsecapp.exe	comNet.exe
File created	C:\Windows\PLA\Templates\29c1c3cc0f7685	comNet.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3396	schtasks.exe
2732	schtasks.exe
1764	schtasks.exe
4288	schtasks.exe
3732	schtasks.exe
3500	schtasks.exe
3064	schtasks.exe
4428	schtasks.exe
4648	schtasks.exe
3676	schtasks.exe
4192	schtasks.exe
3972	schtasks.exe

Modifies registry class 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings file.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	file.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

comNet.exeSearchApp.exe

pid	process
3040	comNet.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe
1892	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SearchApp.exe

pid process

1892 SearchApp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

comNet.exeSearchApp.exe

description pid process

Token: SeDebugPrivilege 3040 comNet.exe
Token: SeDebugPrivilege 1892 SearchApp.exe

pid	process
1892	SearchApp.exe

description	pid	process
Token: SeDebugPrivilege	3040	comNet.exe
Token: SeDebugPrivilege	1892	SearchApp.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

file.exeWScript.execmd.execomNet.exe

description	pid	process	target process
PID 1684 wrote to memory of 2296	1684	file.exe	WScript.exe
PID 1684 wrote to memory of 2296	1684	file.exe	WScript.exe
PID 1684 wrote to memory of 2296	1684	file.exe	WScript.exe
PID 2296 wrote to memory of 2044	2296	WScript.exe	cmd.exe
PID 2296 wrote to memory of 2044	2296	WScript.exe	cmd.exe
PID 2296 wrote to memory of 2044	2296	WScript.exe	cmd.exe
PID 2044 wrote to memory of 3040	2044	cmd.exe	comNet.exe
PID 2044 wrote to memory of 3040	2044	cmd.exe	comNet.exe
PID 3040 wrote to memory of 1892	3040	comNet.exe	SearchApp.exe
PID 3040 wrote to memory of 1892	3040	comNet.exe	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\providerwindriverHostDll\comNet.exe
"C:\providerwindriverHostDll\comNet.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Default User\SearchApp.exe
"C:\Users\Default User\SearchApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default User\SearchApp.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\Users\Default\SearchApp.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\Users\Default\SearchApp.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat
Filesize
40B

MD5
b7f686a12452b0e946a2b35746aa85d8

SHA1
3637b428ac91dd8e93259eb32e9fd8d1f43825f5

SHA256
91a97a0a5785891a0c5c68a17625dbd99324eb363f0c13707f9ba9be9417253f

SHA512
e70765edac455c33ac137ae6b3e67db616fcbbfe82298b5bbd59dc5179126ecc015fe4c18e9a0bd668da826d2cd4d2e3276dab7ed0331db7892795d6221c4ba8

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe
Filesize
220B

MD5
175e0c8fb6f8d79de10516a3c70b8bd4

SHA1
c46ecb7f245a26cc06f9c227b75cb0e51fa5a922

SHA256
c2d8a00d704a88597d0d1a31b06965713efbf55a6ec68e567fccd4e0ad236079

SHA512
d2895a6260801876bac10b885e137bb3a1a62972d55660e45829aeafc76d25baa8af7857eb2a3d7245ee58404699278e24db4fe7e498f465e294b42578c60926

Download Submit
memory/1892-167-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/1892-168-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/3040-145-0x0000000000610000-0x00000000006E6000-memory.dmp

Filesize
856KB

Download
memory/3040-154-0x000000001B320000-0x000000001B330000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads