dcrat | 883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

General

Target

883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
Size

1.7MB
MD5

e8eb1ec9deb48f871d5f0041f5376efd
SHA1

f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531
SHA256

883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90
SHA512

6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d
SSDEEP

24576:HcCAjahFqYIiOtKRoXCkX4rj69El3s1sJ:jAjgFiqvrWTs

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Executes dropped EXE 1 IoCs

pid	Process
8	backgroundTaskHost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\MsDtcWmi\29c1c3cc0f76855c7e7456076a4ffc27e4947119	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mscms\winlogon.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\mscms\cc11b995f2a76da408ea6a601e682e64743153ad	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\iasrecst\RuntimeBroker.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\iasrecst\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\System32\wbem\MsDtcWmi\unsecapp.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File opened for modification	C:\Windows\System32\wbem\MsDtcWmi\unsecapp.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\backgroundTaskHost.exe	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
File created	C:\Windows\it-IT\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3968	schtasks.exe
1436	schtasks.exe
5016	schtasks.exe
4488	schtasks.exe
4776	schtasks.exe
3900	schtasks.exe
4352	schtasks.exe
1844	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2316	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
8	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
Token: SeDebugPrivilege	8	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4352	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	88
PID 4604 wrote to memory of 4352	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	88
PID 4604 wrote to memory of 1844	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	90
PID 4604 wrote to memory of 1844	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	90
PID 4604 wrote to memory of 3968	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	92
PID 4604 wrote to memory of 3968	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	92
PID 4604 wrote to memory of 1436	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	94
PID 4604 wrote to memory of 1436	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	94
PID 4604 wrote to memory of 5016	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	96
PID 4604 wrote to memory of 5016	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	96
PID 4604 wrote to memory of 4488	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	98
PID 4604 wrote to memory of 4488	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	98
PID 4604 wrote to memory of 4776	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	100
PID 4604 wrote to memory of 4776	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	100
PID 4604 wrote to memory of 3900	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	102
PID 4604 wrote to memory of 3900	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	102
PID 4604 wrote to memory of 3244	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	104
PID 4604 wrote to memory of 3244	4604	883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe	104
PID 3244 wrote to memory of 3200	3244	cmd.exe	106
PID 3244 wrote to memory of 3200	3244	cmd.exe	106
PID 3244 wrote to memory of 2316	3244	cmd.exe	107
PID 3244 wrote to memory of 2316	3244	cmd.exe	107
PID 3244 wrote to memory of 8	3244	cmd.exe	108
PID 3244 wrote to memory of 8	3244	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe
"C:\Users\Admin\AppData\Local\Temp\883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\MsDtcWmi\unsecapp.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4352
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\it-IT\backgroundTaskHost.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1844
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\dwm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3968
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\mscms\winlogon.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1436
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\iasrecst\RuntimeBroker.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:5016
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4488
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4776
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fr0Hbi110m.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3200
- - C:\Windows\system32\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:2316
- - C:\Users\Admin\NetHood\backgroundTaskHost.exe
    "C:\Users\Admin\NetHood\backgroundTaskHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fr0Hbi110m.bat

Filesize
211B

MD5
117247fb83f4a7aebba3d7fa728ce03e

SHA1
3a1c0206580deb0b57a50aef03c11cfdc0ac3469

SHA256
f192ef0e2f63cabe210a4703d87438d81085e397d25146aeda5ebec61c1c4fe4

SHA512
7a85b58676d6a835fc05e1aa6fea2c2c0d99761856ef8b264ad1cfebb586e9487aabbc90ab2065a31ff82f11cce6f2ac5c2b5b36ca33f4e1a22f50020397a315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\backgroundTaskHost.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
C:\Users\Admin\NetHood\backgroundTaskHost.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
C:\Windows\System32\iasrecst\RuntimeBroker.exe

Filesize
1.7MB

MD5
e8eb1ec9deb48f871d5f0041f5376efd

SHA1
f2db4c8ef8a5a39d1b7dd34c82b6efd4664b4531

SHA256
883e90cbf2b203e43bbd4dc84d1389f13876348269356b43028b2b94a27f3e90

SHA512
6ee61fb70db05deb8921b250e198653ce5c9ba6da2e5f54290e82dfd4189aa82b9bdc422ad3a328ea6ce84315d0d0c9f2df061824c8952e36dd5169367caff9d

Download Submit
memory/8-30-0x00007FFCD3A30000-0x00007FFCD44F1000-memory.dmp

Filesize
10.8MB

Download
memory/8-31-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/8-33-0x00007FFCD3A30000-0x00007FFCD44F1000-memory.dmp

Filesize
10.8MB

Download
memory/4604-0-0x00000000003F0000-0x000000000059A000-memory.dmp

Filesize
1.7MB

Download
memory/4604-1-0x00007FFCD3860000-0x00007FFCD4321000-memory.dmp

Filesize
10.8MB

Download
memory/4604-2-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/4604-3-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/4604-25-0x00007FFCD3860000-0x00007FFCD4321000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads