dcrat | f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d

General

Target

080dea74b4e8c480a3dc1be07c13eeeb.exe
Size

1.4MB
MD5

080dea74b4e8c480a3dc1be07c13eeeb
SHA1

7ec15f32916c21efd92db1f52b1edc9c4e81df35
SHA256

f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d
SHA512

52fe5f40fe8b46b17441c913e2abeedc597d9a8e5ebdfb7322ac5050785d9e8e69cc38b0a64b2e42d495f929ea49497427f719d6bcaf16b6ba5183f3d81af91e
SSDEEP

24576:wUesxbPoSf/0W4vVo6m+p2EFV0/hkAGmo+M5AMGlVrfelPMEeA6yy+4:pJ0W4vANaPmbM9wFeplZ7F

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1260	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1260	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1260	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4088-0-0x00000000001C0000-0x0000000000332000-memory.dmp	dcrat
behavioral2/files/0x000200000001e7e7-19.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	080dea74b4e8c480a3dc1be07c13eeeb.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	SppExtComObj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	080dea74b4e8c480a3dc1be07c13eeeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\gpupdate\\SppExtComObj.exe\""	080dea74b4e8c480a3dc1be07c13eeeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\winlogon.exe\""	080dea74b4e8c480a3dc1be07c13eeeb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\gpupdate\e1ef82546f0b02b7e974f28047f3788b1128cce1	080dea74b4e8c480a3dc1be07c13eeeb.exe
File created	C:\Windows\System32\gpupdate\SppExtComObj.exe	080dea74b4e8c480a3dc1be07c13eeeb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\win\sysmon.exe	080dea74b4e8c480a3dc1be07c13eeeb.exe
File opened for modification	C:\Windows\win\sysmon.exe	080dea74b4e8c480a3dc1be07c13eeeb.exe
File created	C:\Windows\win\121e5b5079f7c0e46d90f99b3864022518bbbda9	080dea74b4e8c480a3dc1be07c13eeeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1840	schtasks.exe
2104	schtasks.exe
2896	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	080dea74b4e8c480a3dc1be07c13eeeb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4088	080dea74b4e8c480a3dc1be07c13eeeb.exe
4088	080dea74b4e8c480a3dc1be07c13eeeb.exe
4088	080dea74b4e8c480a3dc1be07c13eeeb.exe
4648	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	080dea74b4e8c480a3dc1be07c13eeeb.exe
Token: SeDebugPrivilege	4648	SppExtComObj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3992	4088	080dea74b4e8c480a3dc1be07c13eeeb.exe	98
PID 4088 wrote to memory of 3992	4088	080dea74b4e8c480a3dc1be07c13eeeb.exe	98
PID 3992 wrote to memory of 3576	3992	cmd.exe	100
PID 3992 wrote to memory of 3576	3992	cmd.exe	100
PID 3992 wrote to memory of 4968	3992	cmd.exe	101
PID 3992 wrote to memory of 4968	3992	cmd.exe	101
PID 3992 wrote to memory of 4648	3992	cmd.exe	102
PID 3992 wrote to memory of 4648	3992	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\080dea74b4e8c480a3dc1be07c13eeeb.exe
"C:\Users\Admin\AppData\Local\Temp\080dea74b4e8c480a3dc1be07c13eeeb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQX6o7kDL7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4968
- - C:\Windows\System32\gpupdate\SppExtComObj.exe
    "C:\Windows\System32\gpupdate\SppExtComObj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\win\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\gpupdate\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tQX6o7kDL7.bat

Filesize
261B

MD5
2e416d259ffce8e8aee4bf749f7f6ad7

SHA1
e0371c3bd887e23b01de3b6983f5667720addaa1

SHA256
99ec01c0c2d499f163eadcda34496371c6739ebd4ff95c2dbc4dcadb2cc181ad

SHA512
e678bfb255069aebe1a1db2b9b6bb4bb2acbff9fe835164bcd4ecaf0c5549ac665b73fbda9603982e6693a937051fff0cb7b7e068205c73f2b99c3ae62524df8

Download Submit
C:\Windows\System32\gpupdate\SppExtComObj.exe

Filesize
1.4MB

MD5
080dea74b4e8c480a3dc1be07c13eeeb

SHA1
7ec15f32916c21efd92db1f52b1edc9c4e81df35

SHA256
f28cc0f1f1a0408490a39ab982477aa19dc7b199c599e9f9a89e62f2f423a24d

SHA512
52fe5f40fe8b46b17441c913e2abeedc597d9a8e5ebdfb7322ac5050785d9e8e69cc38b0a64b2e42d495f929ea49497427f719d6bcaf16b6ba5183f3d81af91e

Download Submit
memory/4088-0-0x00000000001C0000-0x0000000000332000-memory.dmp

Filesize
1.4MB

Download
memory/4088-1-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

Filesize
10.8MB

Download
memory/4088-2-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/4088-7-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

Filesize
10.8MB

Download
memory/4088-16-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

Filesize
10.8MB

Download
memory/4648-24-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/4648-28-0x000000001AF90000-0x000000001AF98000-memory.dmp

Filesize
32KB

Download
memory/4648-23-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/4648-21-0x00007FFAFE100000-0x00007FFAFEBC1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-26-0x00000000027A0000-0x00000000027AA000-memory.dmp

Filesize
40KB

Download
memory/4648-25-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/4648-27-0x00000000027B0000-0x00000000027BE000-memory.dmp

Filesize
56KB

Download
memory/4648-22-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/4648-29-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/4648-30-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/4648-31-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

Filesize
56KB

Download
memory/4648-32-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

Filesize
32KB

Download
memory/4648-33-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

Filesize
32KB

Download
memory/4648-35-0x00007FFAFE100000-0x00007FFAFEBC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads