dcrat | 774d6ff191fc9d519c07a9ad05e8019d5cf4e0b8961d26fe1d98f69c89516c56

General

Target

b1e591dc4fa5b6071d9e44760b5dd5d8.exe
Size

1.6MB
MD5

b1e591dc4fa5b6071d9e44760b5dd5d8
SHA1

bfe9909abcacf41e08a8ab59904c0578987c8add
SHA256

774d6ff191fc9d519c07a9ad05e8019d5cf4e0b8961d26fe1d98f69c89516c56
SHA512

f0fd1548d6227bec6ead6f2ec9a3ae5bd1bcb67ab1191cb3eddd97cde74249b4e89a460586a22159f67a31a6e142478f859b9cbf75277278b3c3d810c103c16e
SSDEEP

24576:u2G/nvxW3WieC0zj09QbSqUXJ/mypGc4b0hoc4D9dX1ri36WSmwVZXQxmiHn9vo+:ubA3j0zo9QYnpbZCdXRi36AwVN+n9vo+

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3168	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3168	schtasks.exe	91

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023132-10.dat	dcrat
behavioral2/files/0x0008000000023132-11.dat	dcrat
behavioral2/memory/4608-12-0x0000000000270000-0x00000000003C2000-memory.dmp	dcrat
behavioral2/files/0x000700000002320f-19.dat	dcrat
behavioral2/files/0x0006000000023217-32.dat	dcrat
behavioral2/files/0x0006000000023217-34.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation	b1e591dc4fa5b6071d9e44760b5dd5d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation	Blocksaves.exe

Executes dropped EXE 2 IoCs

pid	Process
4608	Blocksaves.exe
264	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	Blocksaves.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	Blocksaves.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	Blocksaves.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Blocksaves.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\security\cap\dllhost.exe	Blocksaves.exe
File opened for modification	C:\Windows\security\cap\dllhost.exe	Blocksaves.exe
File created	C:\Windows\security\cap\5940a34987c991	Blocksaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1508	schtasks.exe
2180	schtasks.exe
3596	schtasks.exe
4328	schtasks.exe
2560	schtasks.exe
4948	schtasks.exe
4628	schtasks.exe
1748	schtasks.exe
2220	schtasks.exe
1948	schtasks.exe
1068	schtasks.exe
1904	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings	Blocksaves.exe
Key created	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings	b1e591dc4fa5b6071d9e44760b5dd5d8.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4608	Blocksaves.exe
4608	Blocksaves.exe
4608	Blocksaves.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe
264	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
264	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	Blocksaves.exe
Token: SeDebugPrivilege	264	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2236	224	b1e591dc4fa5b6071d9e44760b5dd5d8.exe	85
PID 224 wrote to memory of 2236	224	b1e591dc4fa5b6071d9e44760b5dd5d8.exe	85
PID 224 wrote to memory of 2236	224	b1e591dc4fa5b6071d9e44760b5dd5d8.exe	85
PID 2236 wrote to memory of 3644	2236	WScript.exe	87
PID 2236 wrote to memory of 3644	2236	WScript.exe	87
PID 2236 wrote to memory of 3644	2236	WScript.exe	87
PID 3644 wrote to memory of 4608	3644	cmd.exe	89
PID 3644 wrote to memory of 4608	3644	cmd.exe	89
PID 4608 wrote to memory of 3864	4608	Blocksaves.exe	105
PID 4608 wrote to memory of 3864	4608	Blocksaves.exe	105
PID 3864 wrote to memory of 4392	3864	cmd.exe	106
PID 3864 wrote to memory of 4392	3864	cmd.exe	106
PID 3864 wrote to memory of 264	3864	cmd.exe	107
PID 3864 wrote to memory of 264	3864	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1e591dc4fa5b6071d9e44760b5dd5d8.exe
"C:\Users\Admin\AppData\Local\Temp\b1e591dc4fa5b6071d9e44760b5dd5d8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msProviderWebRuntimebroker\06ie3qFeFZFFjrf0Xu6tbSu.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msProviderWebRuntimebroker\tLvSU5.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\msProviderWebRuntimebroker\Blocksaves.exe
      "C:\msProviderWebRuntimebroker\Blocksaves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Is2kJsH8PC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4392
      - C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\security\cap\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\security\cap\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\security\cap\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Filesize
1.3MB

MD5
0f8046ac2495dcf3e288002921e0535d

SHA1
e838e674b1bf232d6b4305973b012fa467537353

SHA256
eb86d51548fc3d90e2d566107f6ca429365efd4c1f5a1b239c28cd6763430276

SHA512
de355d6247dc733c4dc643815ffb2c3e1f602ec54faf2d54ac941f2fa9f22b21445fa1bc22113ce6040db04e024cf3cfc0119ab6d597f1bb0c435bb6671e777d

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Filesize
1.3MB

MD5
0f8046ac2495dcf3e288002921e0535d

SHA1
e838e674b1bf232d6b4305973b012fa467537353

SHA256
eb86d51548fc3d90e2d566107f6ca429365efd4c1f5a1b239c28cd6763430276

SHA512
de355d6247dc733c4dc643815ffb2c3e1f602ec54faf2d54ac941f2fa9f22b21445fa1bc22113ce6040db04e024cf3cfc0119ab6d597f1bb0c435bb6671e777d

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.3MB

MD5
0f8046ac2495dcf3e288002921e0535d

SHA1
e838e674b1bf232d6b4305973b012fa467537353

SHA256
eb86d51548fc3d90e2d566107f6ca429365efd4c1f5a1b239c28cd6763430276

SHA512
de355d6247dc733c4dc643815ffb2c3e1f602ec54faf2d54ac941f2fa9f22b21445fa1bc22113ce6040db04e024cf3cfc0119ab6d597f1bb0c435bb6671e777d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Is2kJsH8PC.bat

Filesize
230B

MD5
17d170df4c63eccd01c27470ba5da23d

SHA1
7a7746ddb1bf42b6673b92fb1317cd2d14e54e94

SHA256
349ff8b4679384264da8f3c26cd4a2bed1a7e04dd672a3c14b739e52c1910687

SHA512
3e9b3926034f1f4ce718f462ef24ce0f80ac12436919526e9c61caf416e72186e2ec5c7e9761e8a974ed5ea61b962ff899815dbb9b3454a514d4e293bdb6e614

Download Submit
C:\msProviderWebRuntimebroker\06ie3qFeFZFFjrf0Xu6tbSu.vbe

Filesize
209B

MD5
1a33de1f09da3da0d3fa63f5728a2ce4

SHA1
e233d890f8e7836273c010b2b14ee9ca7849c403

SHA256
c1c35d7e74a317662755a0cbfcc7533ecc81b20a6c3cb9cf1a6e14e0788f03c0

SHA512
2789ea0a9bed5ce98b03cf729d79d469a7cb41fde248f5239fa81e09c2462510dd04ea89a90a8b4e8a684dd3efd18ef3d5a90224414ace3eb9ecd8c6015a4009

Download Submit
C:\msProviderWebRuntimebroker\Blocksaves.exe

Filesize
1.3MB

MD5
0f8046ac2495dcf3e288002921e0535d

SHA1
e838e674b1bf232d6b4305973b012fa467537353

SHA256
eb86d51548fc3d90e2d566107f6ca429365efd4c1f5a1b239c28cd6763430276

SHA512
de355d6247dc733c4dc643815ffb2c3e1f602ec54faf2d54ac941f2fa9f22b21445fa1bc22113ce6040db04e024cf3cfc0119ab6d597f1bb0c435bb6671e777d

Download Submit
C:\msProviderWebRuntimebroker\Blocksaves.exe

Filesize
1.3MB

MD5
0f8046ac2495dcf3e288002921e0535d

SHA1
e838e674b1bf232d6b4305973b012fa467537353

SHA256
eb86d51548fc3d90e2d566107f6ca429365efd4c1f5a1b239c28cd6763430276

SHA512
de355d6247dc733c4dc643815ffb2c3e1f602ec54faf2d54ac941f2fa9f22b21445fa1bc22113ce6040db04e024cf3cfc0119ab6d597f1bb0c435bb6671e777d

Download Submit
C:\msProviderWebRuntimebroker\tLvSU5.bat

Filesize
46B

MD5
3cddef7b59c78d7cde8c2e3ae8ad264e

SHA1
15123a72f75f6b7ee6483656191c1d6c7693a8a0

SHA256
bb902de2e042081666ee8214d744a8f659f709eda12075cfd93b09a80a61d847

SHA512
ccf89cb3ae833021ae4cf6af4619afe187c7731908134170e2289761933b833fbaf430624227d0e3f2df69c070a1eb4dfb78a1d2ea3f9f1b5162e89ecc7af1ba

Download Submit
memory/264-74-0x00007FFC153E0000-0x00007FFC15EA1000-memory.dmp

Filesize
10.8MB

Download
memory/264-35-0x00007FFC153E0000-0x00007FFC15EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-12-0x0000000000270000-0x00000000003C2000-memory.dmp

Filesize
1.3MB

Download
memory/4608-30-0x00007FFC153E0000-0x00007FFC15EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-16-0x000000001BC80000-0x000000001C1A8000-memory.dmp

Filesize
5.2MB

Download
memory/4608-15-0x000000001B5A0000-0x000000001B5F0000-memory.dmp

Filesize
320KB

Download
memory/4608-14-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/4608-13-0x00007FFC153E0000-0x00007FFC15EA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads