dcrat | eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a

General

Target

tmp.exe
Size

1.6MB
MD5

cd4ee1a7a160a3c103e775ec9136f10a
SHA1

53bedd6edbba3e0a56268362b3451e9a1fdc1627
SHA256

eb058bb526ec0e8b9d477425af771f9c13dd68ed6a120ac19d8920403253326a
SHA512

220101710ac33527532d1b1c153ce8bd477b3b7a282fbb1a5e3139b8cd5f064fee305ef16b77b228970ce31cc378c3e9cdb57def29f36b978a4ba7f362db5d59
SSDEEP

24576:T2G/nvxW3WjfexVOsf1916TKXVF6A/fIreiReAqzEqB+qLzqb3nxBzP4U1xg:TbA3Gn6L9QeVAqzEqPOFBzPXu

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4972	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023083-148.dat	dcrat
behavioral2/files/0x0006000000023083-149.dat	dcrat
behavioral2/memory/1928-150-0x00000000009F0000-0x0000000000B42000-memory.dmp	dcrat
behavioral2/files/0x000600000002308f-157.dat	dcrat
behavioral2/files/0x0006000000023093-169.dat	dcrat
behavioral2/files/0x0006000000023093-170.dat	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1928	BlockPerfmonitor.exe
3524	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\3e293e4792983b	BlockPerfmonitor.exe
File created	C:\Program Files\WindowsPowerShell\Modules\BlockPerfmonitor.exe	BlockPerfmonitor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\BlockPerfmonitor.exe	BlockPerfmonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\spoolsv.exe	BlockPerfmonitor.exe
File created	C:\Windows\CbsTemp\f3b6ecef712a24	BlockPerfmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3848	schtasks.exe
3964	schtasks.exe
4008	schtasks.exe
4056	schtasks.exe
3936	schtasks.exe
1680	schtasks.exe
2152	schtasks.exe
1016	schtasks.exe
4736	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	tmp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1248	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1928	BlockPerfmonitor.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe
3524	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3524	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	BlockPerfmonitor.exe
Token: SeDebugPrivilege	3524	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1436	1404	tmp.exe	81
PID 1404 wrote to memory of 1436	1404	tmp.exe	81
PID 1404 wrote to memory of 1436	1404	tmp.exe	81
PID 1404 wrote to memory of 2312	1404	tmp.exe	82
PID 1404 wrote to memory of 2312	1404	tmp.exe	82
PID 1404 wrote to memory of 2312	1404	tmp.exe	82
PID 1436 wrote to memory of 2608	1436	WScript.exe	89
PID 1436 wrote to memory of 2608	1436	WScript.exe	89
PID 1436 wrote to memory of 2608	1436	WScript.exe	89
PID 2608 wrote to memory of 1928	2608	cmd.exe	91
PID 2608 wrote to memory of 1928	2608	cmd.exe	91
PID 1928 wrote to memory of 3524	1928	BlockPerfmonitor.exe	103
PID 1928 wrote to memory of 3524	1928	BlockPerfmonitor.exe	103
PID 2608 wrote to memory of 1248	2608	cmd.exe	104
PID 2608 wrote to memory of 1248	2608	cmd.exe	104
PID 2608 wrote to memory of 1248	2608	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\MscomSurrogatebrokerCrt\zIFGDdD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe
      "C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomSurrogatebrokerCrt\file.vbs"
  2⤵
  PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockPerfmonitorB" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\BlockPerfmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockPerfmonitor" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\BlockPerfmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockPerfmonitorB" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\BlockPerfmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\BlockPerfmonitor.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\MscomSurrogatebrokerCrt\bCHfvnOhpBFuYP7qZ.vbe

Filesize
207B

MD5
95ced681f6ed091e814560cfd6263b67

SHA1
5ce23afdddf770d7db461d949be98bafdad7927d

SHA256
acaf58fd6f360831e6af609791bea73077ffe1b976b28fd8d7640f2a63be783a

SHA512
d2ef86bd18da42befe83fa3e06857303f43c39cc9b1bd4a887f2839c948966a5f953b390a2c27733b60acf3a62191bcd8d41a513f36816ce268995362e997b91

Download Submit
C:\MscomSurrogatebrokerCrt\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\MscomSurrogatebrokerCrt\zIFGDdD.bat

Filesize
161B

MD5
ae30d28aebaf9f4d8e0f0a5322a49a9c

SHA1
99096c4cb201ebe50adf30ce7849fac2d424f634

SHA256
aeabc11a80ec4da62577d0e529009cbf15d5258ca5fb3f0bfcc07ca472699f8d

SHA512
234db49cb976a1487286efdc4d53964188bab6766d37ab0676a86c91c00e942c5ed98f4facc4d629b5efaa8f8b33bbc781675e148279bff81b0ac7c2c764caf5

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
C:\Windows\CbsTemp\spoolsv.exe

Filesize
1.3MB

MD5
8d9bb44ab073997b8a010e84a3689d67

SHA1
f2c56a1bc31106556f50f17d6ca807861c20e778

SHA256
dee537c42e982f63dd054631f3a34f12ad7bafc92ae2bfb23c21f209cee08048

SHA512
0b6cfd046e170413798f00ad21d91342209dd674c14cf618ebb3826bdea755ce77328ed4ffd969729502e3d75ea80bc2312a59f735dbe216aeb5c395886e0e52

Download Submit
memory/1928-152-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1928-153-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/1928-154-0x000000001C3E0000-0x000000001C908000-memory.dmp

Filesize
5.2MB

Download
memory/1928-151-0x00007FFEEA040000-0x00007FFEEAB01000-memory.dmp

Filesize
10.8MB

Download
memory/1928-150-0x00000000009F0000-0x0000000000B42000-memory.dmp

Filesize
1.3MB

Download
memory/1928-173-0x00007FFEEA040000-0x00007FFEEAB01000-memory.dmp

Filesize
10.8MB

Download
memory/3524-172-0x00007FFEEA040000-0x00007FFEEAB01000-memory.dmp

Filesize
10.8MB

Download
memory/3524-174-0x00007FFEEA040000-0x00007FFEEAB01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads