dcrat | 79a6f43c7c03d086ebcf7c70a25b21e0888866344d889e35068e461ffb82444e

General

Target

4020bfcac652310c77b3c5fa6a609098.exe
Size

1.4MB
MD5

4020bfcac652310c77b3c5fa6a609098
SHA1

072d892ed59b80cc1561c004dfc0ba5343fc530a
SHA256

79a6f43c7c03d086ebcf7c70a25b21e0888866344d889e35068e461ffb82444e
SHA512

09590ce01936bb6ffc2db2a15390820408c726ac65ae2d424edde0f1cc65caf3d1cc570935196eccc7cd454957c89f4a1bad8d820f869f766e49ffb371bddbd5
SSDEEP

24576:G7b6+NMFw50Rp8gXBeyebsBtqKl/NpP2RMJ+V8c6Js7+RzrdI/Ko+4:GPkeqGgXBeySsBZl2y281JGQzJFL

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2140	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2140	schtasks.exe	28

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000960000-0x0000000000AC8000-memory.dmp	dcrat
behavioral1/memory/2488-17-0x000000001AE70000-0x000000001AEF0000-memory.dmp	dcrat
behavioral1/files/0x000700000001410b-11.dat	dcrat
behavioral1/files/0x0006000000014534-39.dat	dcrat
behavioral1/memory/2972-40-0x0000000000A40000-0x0000000000BA8000-memory.dmp	dcrat
behavioral1/files/0x0006000000014534-38.dat	dcrat
behavioral1/memory/2972-45-0x000000001AEF0000-0x000000001AF70000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2972	csrss.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Documents\\My Pictures\\dllhost.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\es-ES\\winlogon.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\lsm.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\sxshared\\services.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\PerfLogs\\Admin\\audiodg.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\mpg2splt\\dwm.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\Package Cache\\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\\sppsvc.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4020bfcac652310c77b3c5fa6a609098 = "\"C:\\Recovery\\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\\4020bfcac652310c77b3c5fa6a609098.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Documents and Settings\\dwm.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\sqlceoledb30\\csrss.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\uexfat\\smss.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Documents\\smss.exe\""	4020bfcac652310c77b3c5fa6a609098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\C_28599\\csrss.exe\""	4020bfcac652310c77b3c5fa6a609098.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\C_28599\csrss.exe	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\sxshared\services.exe	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\sqlceoledb30\csrss.exe	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\mpg2splt\6cb0b6c459d5d3455a3da700e713f2e2529862ff	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\C_28599\886983d96e3d3e31032c679b2d4ea91b6c05afef	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\sxshared\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\sqlceoledb30\886983d96e3d3e31032c679b2d4ea91b6c05afef	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\uexfat\smss.exe	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\uexfat\69ddcba757bf72f7d36c464c71f42baab150b2b9	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\System32\mpg2splt\dwm.exe	4020bfcac652310c77b3c5fa6a609098.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\101b941d020240259ca4912829b53995ad543df6	4020bfcac652310c77b3c5fa6a609098.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\cc11b995f2a76da408ea6a601e682e64743153ad	4020bfcac652310c77b3c5fa6a609098.exe
File created	C:\Windows\es-ES\winlogon.exe	4020bfcac652310c77b3c5fa6a609098.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe
2808	schtasks.exe
1436	schtasks.exe
2896	schtasks.exe
2584	schtasks.exe
3016	schtasks.exe
1164	schtasks.exe
3028	schtasks.exe
2604	schtasks.exe
1320	schtasks.exe
2772	schtasks.exe
2088	schtasks.exe
2728	schtasks.exe
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2948	4020bfcac652310c77b3c5fa6a609098.exe
2948	4020bfcac652310c77b3c5fa6a609098.exe
2948	4020bfcac652310c77b3c5fa6a609098.exe
2948	4020bfcac652310c77b3c5fa6a609098.exe
2948	4020bfcac652310c77b3c5fa6a609098.exe
2488	4020bfcac652310c77b3c5fa6a609098.exe
2972	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	4020bfcac652310c77b3c5fa6a609098.exe
Token: SeDebugPrivilege	2488	4020bfcac652310c77b3c5fa6a609098.exe
Token: SeDebugPrivilege	2972	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2488	2948	4020bfcac652310c77b3c5fa6a609098.exe	31
PID 2948 wrote to memory of 2488	2948	4020bfcac652310c77b3c5fa6a609098.exe	31
PID 2948 wrote to memory of 2488	2948	4020bfcac652310c77b3c5fa6a609098.exe	31
PID 2488 wrote to memory of 2972	2488	4020bfcac652310c77b3c5fa6a609098.exe	39
PID 2488 wrote to memory of 2972	2488	4020bfcac652310c77b3c5fa6a609098.exe	39
PID 2488 wrote to memory of 2972	2488	4020bfcac652310c77b3c5fa6a609098.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4020bfcac652310c77b3c5fa6a609098.exe
"C:\Users\Admin\AppData\Local\Temp\4020bfcac652310c77b3c5fa6a609098.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\4020bfcac652310c77b3c5fa6a609098.exe
  "C:\Users\Admin\AppData\Local\Temp\4020bfcac652310c77b3c5fa6a609098.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\C_28599\csrss.exe
    "C:\Windows\System32\C_28599\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\uexfat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\mpg2splt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4020bfcac652310c77b3c5fa6a609098" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\4020bfcac652310c77b3c5fa6a609098.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\PerfLogs\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\sqlceoledb30\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\sxshared\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\C_28599\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\C_28599\csrss.exe

Filesize
92KB

MD5
6a5db22211f57c32166566efebabb627

SHA1
b80cbc1415baed3886cbeca4325322c131fff8d1

SHA256
139d050b6e7deb69b6315d527095bfd9d449f72de1ce55548489661606d7ed63

SHA512
0aaa94fc3110ea27a2bd1ab44eaf3c0f8cd55128c21e6add72b489b0efab22aede453aea86649e57cf494ebd791f80338a3b3b3e937e96de71e69f8448d91d45

Download Submit
C:\Windows\System32\mpg2splt\dwm.exe

Filesize
1.4MB

MD5
4020bfcac652310c77b3c5fa6a609098

SHA1
072d892ed59b80cc1561c004dfc0ba5343fc530a

SHA256
79a6f43c7c03d086ebcf7c70a25b21e0888866344d889e35068e461ffb82444e

SHA512
09590ce01936bb6ffc2db2a15390820408c726ac65ae2d424edde0f1cc65caf3d1cc570935196eccc7cd454957c89f4a1bad8d820f869f766e49ffb371bddbd5

Download Submit
memory/2488-41-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2488-17-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/2488-15-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-16-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-0-0x0000000000960000-0x0000000000AC8000-memory.dmp

Filesize
1.4MB

Download
memory/2948-2-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/2948-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-43-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2972-42-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-40-0x0000000000A40000-0x0000000000BA8000-memory.dmp

Filesize
1.4MB

Download
memory/2972-44-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-45-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2972-46-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads