dcrat | 5c445f99c3c151573f373b65e070381d96df9260169433a01e7a7fab04ad88fe

General

Target

b067ce756638b4266dc38d81abb68af2.exe
Size

1.9MB
MD5

b067ce756638b4266dc38d81abb68af2
SHA1

a5dfa0b07ddc85b5bf3ab0a1027bb6fef3470f37
SHA256

5c445f99c3c151573f373b65e070381d96df9260169433a01e7a7fab04ad88fe
SHA512

3f49947ee3b8436a09a027496cd5e6a0ff0ae56f811d74e17b2f166f4da5cfddbf9a8d33926c8a4c228edbe53d05b6bcd1507aba064a56e31e688d91b4d677ed
SSDEEP

49152:qcbzAoVVRaWf4aEqGaU5XBkvRdLtkdbW0qmxKghiX:qcbx9dtxu5arZkdX1K

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4524	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4524	schtasks.exe	93

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4268-23-0x00000000000F0000-0x000000000052E000-memory.dmp	dcrat
behavioral2/memory/3160-55-0x0000000000CA0000-0x00000000010DE000-memory.dmp	dcrat
behavioral2/memory/3160-57-0x0000000000CA0000-0x00000000010DE000-memory.dmp	dcrat
behavioral2/memory/4268-60-0x00000000000F0000-0x000000000052E000-memory.dmp	dcrat
behavioral2/memory/3160-68-0x0000000000CA0000-0x00000000010DE000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	b067ce756638b4266dc38d81abb68af2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	portwebhost_protected.exe

Executes dropped EXE 3 IoCs

pid	Process
3252	1.exe
4268	portwebhost_protected.exe
3160	services.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
3160	services.exe
3160	services.exe
3160	services.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe	portwebhost_protected.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\5940a34987c991	portwebhost_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\sppsvc.exe	portwebhost_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\0a1fd5f707cd16	portwebhost_protected.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\backgroundTaskHost.exe	portwebhost_protected.exe
File opened for modification	C:\Windows\fr-FR\backgroundTaskHost.exe	portwebhost_protected.exe
File created	C:\Windows\fr-FR\eddb19405b7ce1	portwebhost_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2376	schtasks.exe
3408	schtasks.exe
4656	schtasks.exe
5056	schtasks.exe
2104	schtasks.exe
652	schtasks.exe
452	schtasks.exe
4560	schtasks.exe
2212	schtasks.exe
1240	schtasks.exe
3732	schtasks.exe
4384	schtasks.exe
4992	schtasks.exe
2908	schtasks.exe
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
4268	portwebhost_protected.exe
3160	services.exe
3160	services.exe
3160	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	portwebhost_protected.exe
Token: SeDebugPrivilege	3160	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4268	portwebhost_protected.exe
3160	services.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 628	840	b067ce756638b4266dc38d81abb68af2.exe	90
PID 840 wrote to memory of 628	840	b067ce756638b4266dc38d81abb68af2.exe	90
PID 840 wrote to memory of 628	840	b067ce756638b4266dc38d81abb68af2.exe	90
PID 628 wrote to memory of 3252	628	cmd.exe	94
PID 628 wrote to memory of 3252	628	cmd.exe	94
PID 628 wrote to memory of 3252	628	cmd.exe	94
PID 3252 wrote to memory of 4268	3252	1.exe	95
PID 3252 wrote to memory of 4268	3252	1.exe	95
PID 3252 wrote to memory of 4268	3252	1.exe	95
PID 4268 wrote to memory of 3160	4268	portwebhost_protected.exe	117
PID 4268 wrote to memory of 3160	4268	portwebhost_protected.exe	117
PID 4268 wrote to memory of 3160	4268	portwebhost_protected.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b067ce756638b4266dc38d81abb68af2.exe
"C:\Users\Admin\AppData\Local\Temp\b067ce756638b4266dc38d81abb68af2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe -pOIUTRGROID8IRGD7GD6UG
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\odt\services.exe
        
        "C:\odt\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
46B

MD5
485b1f288e5f5e8cf3765a001ad83b90

SHA1
c7df06ea8734b550d90f810d84fd8a54c2fedaee

SHA256
0267d5b9766a69fc65b9cb2ae5945bc5d42e85d9f155c8f4a15786f27ca84e95

SHA512
95ccb456b58249f80fb6a5d0910bb7fd1c83734fac76be0479b238f05f7b5bfed1227656aef3287c956878d1dd6a9dceaea93b482de272aa5764088941700272

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.8MB

MD5
db26634068f2b0c596b1b029f1763792

SHA1
883814f09c8462194ea45991e9dbdc499da14709

SHA256
37b21ed3b707757ffe29f249a9a47c6729a8354ce9940c4d4a11b0bfb1d24f30

SHA512
1c3c7fa7db6dbaf8585eae46b57ea12d5e16ea02b22f499bff49275102f91f09a7ccffa58f9d6adddfc39512e0e3484925c152f799cd77a6ba1118b8fecb364a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.8MB

MD5
db26634068f2b0c596b1b029f1763792

SHA1
883814f09c8462194ea45991e9dbdc499da14709

SHA256
37b21ed3b707757ffe29f249a9a47c6729a8354ce9940c4d4a11b0bfb1d24f30

SHA512
1c3c7fa7db6dbaf8585eae46b57ea12d5e16ea02b22f499bff49275102f91f09a7ccffa58f9d6adddfc39512e0e3484925c152f799cd77a6ba1118b8fecb364a

Download Submit
C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe

Filesize
1.5MB

MD5
f65cc7ac632006f36da65555ac55ce83

SHA1
59ab98b973cf37f5aa096b65677f282d24382e64

SHA256
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

SHA512
4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe

Filesize
1.5MB

MD5
f65cc7ac632006f36da65555ac55ce83

SHA1
59ab98b973cf37f5aa096b65677f282d24382e64

SHA256
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

SHA512
4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\portwebhost_protected.exe

Filesize
1.5MB

MD5
f65cc7ac632006f36da65555ac55ce83

SHA1
59ab98b973cf37f5aa096b65677f282d24382e64

SHA256
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

SHA512
4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

Download Submit
C:\odt\services.exe

Filesize
1.5MB

MD5
f65cc7ac632006f36da65555ac55ce83

SHA1
59ab98b973cf37f5aa096b65677f282d24382e64

SHA256
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

SHA512
4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

Download Submit
C:\odt\services.exe

Filesize
1.5MB

MD5
f65cc7ac632006f36da65555ac55ce83

SHA1
59ab98b973cf37f5aa096b65677f282d24382e64

SHA256
f72ec7b3eaf3112713d6d77c7256a25d777d4794a0daa3b864855b68bbf40a5e

SHA512
4a10a9b8d1dba01a0dc284c8c3f6c396e3632931fa188c1c6b74dd92d46ab1958b8d09e621fc1461ace4e2ce84c7b9be4e3e6f006dc35647b39b668b02b47e31

Download Submit
memory/3160-68-0x0000000000CA0000-0x00000000010DE000-memory.dmp

Filesize
4.2MB

Download
memory/3160-64-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3160-63-0x0000000000CA0000-0x00000000010DE000-memory.dmp

Filesize
4.2MB

Download
memory/3160-57-0x0000000000CA0000-0x00000000010DE000-memory.dmp

Filesize
4.2MB

Download
memory/3160-56-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3160-55-0x0000000000CA0000-0x00000000010DE000-memory.dmp

Filesize
4.2MB

Download
memory/3160-53-0x0000000000CA0000-0x00000000010DE000-memory.dmp

Filesize
4.2MB

Download
memory/3160-69-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/4268-22-0x00000000000F0000-0x000000000052E000-memory.dmp

Filesize
4.2MB

Download
memory/4268-35-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4268-34-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/4268-31-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4268-27-0x00000000000F0000-0x000000000052E000-memory.dmp

Filesize
4.2MB

Download
memory/4268-60-0x00000000000F0000-0x000000000052E000-memory.dmp

Filesize
4.2MB

Download
memory/4268-61-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/4268-26-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/4268-25-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4268-24-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/4268-23-0x00000000000F0000-0x000000000052E000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads