dcrat | 122f5fbdf16a82a90c358ec2e39933e8a5ef43d76cb4fd63ae68863023ecfa01

General

Target

27e28c0509f0685673ae9435e44f163f.exe
Size

929KB
MD5

27e28c0509f0685673ae9435e44f163f
SHA1

384c365e6ceff71f94038c19d6dd72451b128576
SHA256

122f5fbdf16a82a90c358ec2e39933e8a5ef43d76cb4fd63ae68863023ecfa01
SHA512

1cbd42612aee9f5cffb6a55155f397cb657d807955d26fec742041649c359b9c48acf128f0c7e4a866497854153f333e75d3bf613a6f52d7f0836ddbb295cb20
SSDEEP

12288:jpLIRXM1We9wDdtSF4j7nvLaMfUyciwQUXUtqRrjK2QSaDcy11wZPiAQqn4:CtUkqRrQH3wZW+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2940	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2940	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2940	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2940	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2940	schtasks.exe	28

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1936-54-0x0000000000F40000-0x0000000001030000-memory.dmp	dcrat
behavioral1/files/0x00060000000170ed-65.dat	dcrat
behavioral1/files/0x0006000000016d70-73.dat	dcrat
behavioral1/files/0x0006000000016d70-74.dat	dcrat
behavioral1/memory/2212-75-0x0000000000320000-0x0000000000410000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2212	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wiaservc\\winlogon.exe\""	27e28c0509f0685673ae9435e44f163f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\8ecc50a2-20ee-11ee-a805-d66763f08456\\spoolsv.exe\""	27e28c0509f0685673ae9435e44f163f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\mfc100enu\\lsm.exe\""	27e28c0509f0685673ae9435e44f163f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\sdautoplay\\taskhost.exe\""	27e28c0509f0685673ae9435e44f163f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\dfrgui\\dllhost.exe\""	27e28c0509f0685673ae9435e44f163f.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\mfc100enu\101b941d020240259ca4912829b53995ad543df6	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\sdautoplay\taskhost.exe	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\dfrgui\dllhost.exe	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\mfc100enu\lsm.exe	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\wiaservc\winlogon.exe	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\wiaservc\cc11b995f2a76da408ea6a601e682e64743153ad	27e28c0509f0685673ae9435e44f163f.exe
File opened for modification	C:\Windows\System32\sdautoplay\taskhost.exe	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\sdautoplay\b75386f1303e64d8139363b71e44ac16341adf4e	27e28c0509f0685673ae9435e44f163f.exe
File created	C:\Windows\System32\dfrgui\5940a34987c99120d96dace90a3f93f329dcad63	27e28c0509f0685673ae9435e44f163f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2708	schtasks.exe
2192	schtasks.exe
2756	schtasks.exe
2856	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	27e28c0509f0685673ae9435e44f163f.exe
1936	27e28c0509f0685673ae9435e44f163f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	27e28c0509f0685673ae9435e44f163f.exe
Token: SeDebugPrivilege	2212	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2732	1936	27e28c0509f0685673ae9435e44f163f.exe	34
PID 1936 wrote to memory of 2732	1936	27e28c0509f0685673ae9435e44f163f.exe	34
PID 1936 wrote to memory of 2732	1936	27e28c0509f0685673ae9435e44f163f.exe	34
PID 2732 wrote to memory of 2424	2732	cmd.exe	36
PID 2732 wrote to memory of 2424	2732	cmd.exe	36
PID 2732 wrote to memory of 2424	2732	cmd.exe	36
PID 2732 wrote to memory of 2212	2732	cmd.exe	37
PID 2732 wrote to memory of 2212	2732	cmd.exe	37
PID 2732 wrote to memory of 2212	2732	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\27e28c0509f0685673ae9435e44f163f.exe
"C:\Users\Admin\AppData\Local\Temp\27e28c0509f0685673ae9435e44f163f.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PgmXFjlyiA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2424
- - C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\spoolsv.exe
    "C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\sdautoplay\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\dfrgui\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wiaservc\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\mfc100enu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\spoolsv.exe

Filesize
929KB

MD5
27e28c0509f0685673ae9435e44f163f

SHA1
384c365e6ceff71f94038c19d6dd72451b128576

SHA256
122f5fbdf16a82a90c358ec2e39933e8a5ef43d76cb4fd63ae68863023ecfa01

SHA512
1cbd42612aee9f5cffb6a55155f397cb657d807955d26fec742041649c359b9c48acf128f0c7e4a866497854153f333e75d3bf613a6f52d7f0836ddbb295cb20

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\spoolsv.exe

Filesize
929KB

MD5
27e28c0509f0685673ae9435e44f163f

SHA1
384c365e6ceff71f94038c19d6dd72451b128576

SHA256
122f5fbdf16a82a90c358ec2e39933e8a5ef43d76cb4fd63ae68863023ecfa01

SHA512
1cbd42612aee9f5cffb6a55155f397cb657d807955d26fec742041649c359b9c48acf128f0c7e4a866497854153f333e75d3bf613a6f52d7f0836ddbb295cb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgmXFjlyiA.bat

Filesize
224B

MD5
29bc771452e5e5c0f214d6e1fac7fa2c

SHA1
7a20b1c52b45325f6944e50d2c39575b8d7edbb2

SHA256
4c562663819d8af75e68c84769cef2135f94d45ebe3564c05d16ba92e44ca993

SHA512
e79ba537ced79e9375f1b916de74861e0dc3ee54fa44fb9b0e6c460e39a35ba1f5407729c6596c27b28d536c8c935eb622819ea97133bc44dc87278975623138

Download Submit
C:\Windows\System32\mfc100enu\lsm.exe

Filesize
929KB

MD5
27e28c0509f0685673ae9435e44f163f

SHA1
384c365e6ceff71f94038c19d6dd72451b128576

SHA256
122f5fbdf16a82a90c358ec2e39933e8a5ef43d76cb4fd63ae68863023ecfa01

SHA512
1cbd42612aee9f5cffb6a55155f397cb657d807955d26fec742041649c359b9c48acf128f0c7e4a866497854153f333e75d3bf613a6f52d7f0836ddbb295cb20

Download Submit
memory/1936-71-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-54-0x0000000000F40000-0x0000000001030000-memory.dmp

Filesize
960KB

Download
memory/1936-56-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/1936-55-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-75-0x0000000000320000-0x0000000000410000-memory.dmp

Filesize
960KB

Download
memory/2212-77-0x000000001A7B0000-0x000000001A830000-memory.dmp

Filesize
512KB

Download
memory/2212-76-0x000007FEF4BC0000-0x000007FEF55AC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-78-0x000007FEF4BC0000-0x000007FEF55AC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-79-0x000000001A7B0000-0x000000001A830000-memory.dmp

Filesize
512KB

Download
memory/2212-80-0x000007FEF4BC0000-0x000007FEF55AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads