dcrat | 4759bca33d28b3cf7d62e9a85d64dc7bbe2acf4993bb702c7016381bee8a0a29

General

Target

2bac605e5583c13c10d4f1e0f0427c7e.exe
Size

1.6MB
MD5

2bac605e5583c13c10d4f1e0f0427c7e
SHA1

5cf030f522cfa4323026a65a1b92bb0df5189960
SHA256

4759bca33d28b3cf7d62e9a85d64dc7bbe2acf4993bb702c7016381bee8a0a29
SHA512

1b07a092d75cbf5c7050694ca1686726e825a0442defa1142191e1246ac4c42b9c3d42daeb8eb17a3a5009ba1ee995af9e3c2ea94ee1401323966df23ae14298
SSDEEP

24576:u2G/nvxW3WieCjPLoxXw1dpqthRHHyJVnZBAQcNDAjAQbCjO6F4//PeSh+45:ubA3jP1LqtaPZ5G2C6E4H0Y

Score

10^/10

dcrat evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2396-13-0x00000000010A0000-0x00000000011FC000-memory.dmp	dcrat
behavioral1/memory/320-40-0x0000000000AD0000-0x0000000000C2C000-memory.dmp	dcrat
behavioral1/memory/320-43-0x000000001B200000-0x000000001B280000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2396	refPerfMonitorNetdhcpintoCommon.exe
320	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	cmd.exe
2380	cmd.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\explorer.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\refPerfMonitorNetdhcp\\winlogon.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\My Documents\\wininit.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Adobe\\Updater6\\lsass.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\NlsLexicons000c\\spoolsv.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\snmpapi\\lsass.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\api-ms-win-core-synch-l1-1-0\\taskhost.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\NlsLexicons0020\\sppsvc.exe\""	refPerfMonitorNetdhcpintoCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	refPerfMonitorNetdhcpintoCommon.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\snmpapi\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\api-ms-win-core-synch-l1-1-0\taskhost.exe	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\api-ms-win-core-synch-l1-1-0\b75386f1303e64d8139363b71e44ac16341adf4e	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\NlsLexicons0020\sppsvc.exe	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\NlsLexicons0020\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\NlsLexicons000c\spoolsv.exe	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\NlsLexicons000c\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	refPerfMonitorNetdhcpintoCommon.exe
File created	C:\Windows\System32\snmpapi\lsass.exe	refPerfMonitorNetdhcpintoCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe
1832	schtasks.exe
2688	schtasks.exe
2656	schtasks.exe
2268	schtasks.exe
1076	schtasks.exe
1760	schtasks.exe
2920	schtasks.exe
2728	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2712	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2396	refPerfMonitorNetdhcpintoCommon.exe
320	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	refPerfMonitorNetdhcpintoCommon.exe
Token: SeDebugPrivilege	320	sppsvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1132	2444	2bac605e5583c13c10d4f1e0f0427c7e.exe	18
PID 2444 wrote to memory of 1132	2444	2bac605e5583c13c10d4f1e0f0427c7e.exe	18
PID 2444 wrote to memory of 1132	2444	2bac605e5583c13c10d4f1e0f0427c7e.exe	18
PID 2444 wrote to memory of 1132	2444	2bac605e5583c13c10d4f1e0f0427c7e.exe	18
PID 1132 wrote to memory of 2380	1132	WScript.exe	29
PID 1132 wrote to memory of 2380	1132	WScript.exe	29
PID 1132 wrote to memory of 2380	1132	WScript.exe	29
PID 1132 wrote to memory of 2380	1132	WScript.exe	29
PID 2380 wrote to memory of 2396	2380	cmd.exe	30
PID 2380 wrote to memory of 2396	2380	cmd.exe	30
PID 2380 wrote to memory of 2396	2380	cmd.exe	30
PID 2380 wrote to memory of 2396	2380	cmd.exe	30
PID 2396 wrote to memory of 320	2396	refPerfMonitorNetdhcpintoCommon.exe	35
PID 2396 wrote to memory of 320	2396	refPerfMonitorNetdhcpintoCommon.exe	35
PID 2396 wrote to memory of 320	2396	refPerfMonitorNetdhcpintoCommon.exe	35
PID 2396 wrote to memory of 320	2396	refPerfMonitorNetdhcpintoCommon.exe	35
PID 2396 wrote to memory of 320	2396	refPerfMonitorNetdhcpintoCommon.exe	35
PID 2380 wrote to memory of 2712	2380	cmd.exe	34
PID 2380 wrote to memory of 2712	2380	cmd.exe	34
PID 2380 wrote to memory of 2712	2380	cmd.exe	34
PID 2380 wrote to memory of 2712	2380	cmd.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bac605e5583c13c10d4f1e0f0427c7e.exe
"C:\Users\Admin\AppData\Local\Temp\2bac605e5583c13c10d4f1e0f0427c7e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refPerfMonitorNetdhcp\YrT2mnqpC.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refPerfMonitorNetdhcp\pjvczXU3I6biAnw1ZWy.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\refPerfMonitorNetdhcp\refPerfMonitorNetdhcpintoCommon.exe
      "C:\refPerfMonitorNetdhcp\refPerfMonitorNetdhcpintoCommon.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\System32\NlsLexicons0020\sppsvc.exe
        
        "C:\Windows\System32\NlsLexicons0020\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons000c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\snmpapi\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0020\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\refPerfMonitorNetdhcp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-synch-l1-1-0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\refPerfMonitorNetdhcp\YrT2mnqpC.vbe

Filesize
217B

MD5
54a006bff9a90d4ae0cc7738e0c0fbae

SHA1
19c97dfab3ba92ccea63f1500d7b5cf1f10f3ac1

SHA256
6d8c8de2d8d86b210b5d2e1380602f8ec5720aaa03c71cd12333cb4902d04672

SHA512
9774a74a2392525ca44378050d87f8c354ab9e69ba1dec4a8bdff0c4eb0f507cf6016dfa9766afb32587294104378e84eed9cdc7acbff7519f870d6f6a772978

Download Submit
memory/320-40-0x0000000000AD0000-0x0000000000C2C000-memory.dmp

Filesize
1.4MB

Download
memory/320-43-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/320-42-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/320-44-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-13-0x00000000010A0000-0x00000000011FC000-memory.dmp

Filesize
1.4MB

Download
memory/2396-14-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-15-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2396-41-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads