dcrat | 1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

General

Target

1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
Size

835KB
MD5

1308739121acb9f2f8f80687a438e13e
SHA1

095d65be6685f6551a11c76bd32cc5819d5aeceb
SHA256

1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959
SHA512

cb2f8221dfdecb7a6845392a85da9347255c04996a5390f58a8270df23e936b744954dee56273f300d0da6c15bba9b9b4407be0ccd2e0c5e6b0d4c04db394bdb
SSDEEP

12288:Dg59YDJ/FtciLWSsZ/YKL3xnDDukBiEOyDiev:MA9/FJLWSsZ/YKmmigi2

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4920	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4920	schtasks.exe	78

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1740-0-0x00000000007E0000-0x00000000008B8000-memory.dmp	dcrat
behavioral2/files/0x0007000000023159-11.dat	dcrat
behavioral2/files/0x0007000000023159-19.dat	dcrat
behavioral2/files/0x0007000000023159-20.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4252	taskhostw.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\29c1c3cc0f7685	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\en-US\sppsvc.exe	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3404	schtasks.exe
3352	schtasks.exe
764	schtasks.exe
4848	schtasks.exe
4668	schtasks.exe
4912	schtasks.exe
876	schtasks.exe
1744	schtasks.exe
4608	schtasks.exe
4100	schtasks.exe
2516	schtasks.exe
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
4252	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
Token: SeDebugPrivilege	4252	taskhostw.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4252	1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe	91
PID 1740 wrote to memory of 4252	1740	1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Recovery\WindowsRE\taskhostw.exe
  "C:\Recovery\WindowsRE\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\taskhostw.exe

Filesize
835KB

MD5
1308739121acb9f2f8f80687a438e13e

SHA1
095d65be6685f6551a11c76bd32cc5819d5aeceb

SHA256
1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

SHA512
cb2f8221dfdecb7a6845392a85da9347255c04996a5390f58a8270df23e936b744954dee56273f300d0da6c15bba9b9b4407be0ccd2e0c5e6b0d4c04db394bdb

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
835KB

MD5
1308739121acb9f2f8f80687a438e13e

SHA1
095d65be6685f6551a11c76bd32cc5819d5aeceb

SHA256
1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

SHA512
cb2f8221dfdecb7a6845392a85da9347255c04996a5390f58a8270df23e936b744954dee56273f300d0da6c15bba9b9b4407be0ccd2e0c5e6b0d4c04db394bdb

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
835KB

MD5
1308739121acb9f2f8f80687a438e13e

SHA1
095d65be6685f6551a11c76bd32cc5819d5aeceb

SHA256
1b5d9120901b2fa972a959a82c97c8d3df7f53792ab623f63998a6a61d257959

SHA512
cb2f8221dfdecb7a6845392a85da9347255c04996a5390f58a8270df23e936b744954dee56273f300d0da6c15bba9b9b4407be0ccd2e0c5e6b0d4c04db394bdb

Download Submit
memory/1740-0-0x00000000007E0000-0x00000000008B8000-memory.dmp

Filesize
864KB

Download
memory/1740-1-0x00007FFBD15E0000-0x00007FFBD20A1000-memory.dmp

Filesize
10.8MB

Download
memory/1740-2-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/1740-22-0x00007FFBD15E0000-0x00007FFBD20A1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-23-0x00007FFBD15E0000-0x00007FFBD20A1000-memory.dmp

Filesize
10.8MB

Download
memory/4252-24-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/4252-26-0x00007FFBD15E0000-0x00007FFBD20A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads