dcrat | 3bfdd10fe2da7cb4dcff775df6897b3f5d4745391630640be7c388a816d649d1

General

Target

492ea97a5e145707a87cd019f102042b.exe
Size

1.2MB
MD5

492ea97a5e145707a87cd019f102042b
SHA1

e9b8c09b26921801d11fedb8426875c0cc59f0e4
SHA256

3bfdd10fe2da7cb4dcff775df6897b3f5d4745391630640be7c388a816d649d1
SHA512

06356125fa0071eb41c4074eba9c1610d03160954bcc27d24a507990f465207c2e21e31a433afaeaed36a59787c5441f476c0753f6e12ab19edff5ae214bfd1b
SSDEEP

12288:6e+nZZPllEevpmjEdApnSavNYkHN2nG9mAKKCVUy0XKKtOpCG0J3jK5MKYXqn4:/CeIQrSavmGcAKnVUHK5b0Jzf5X+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2748	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2748	schtasks.exe	28

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2996-0-0x00000000000D0000-0x000000000020E000-memory.dmp	dcrat
behavioral1/files/0x0005000000018771-11.dat	dcrat
behavioral1/files/0x00050000000191cb-22.dat	dcrat
behavioral1/memory/3020-23-0x0000000000260000-0x000000000039E000-memory.dmp	dcrat
behavioral1/files/0x00050000000191cb-21.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
3020	services.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\Help\\en_US\\Adobe Reader\\9.0\\smss.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\lsass.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\Admin\\dllhost.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\services.exe\""	492ea97a5e145707a87cd019f102042b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\QSVRMGMT\\lsm.exe\""	492ea97a5e145707a87cd019f102042b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\QSVRMGMT\lsm.exe	492ea97a5e145707a87cd019f102042b.exe
File created	C:\Windows\System32\QSVRMGMT\101b941d020240259ca4912829b53995ad543df6	492ea97a5e145707a87cd019f102042b.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\smss.exe	492ea97a5e145707a87cd019f102042b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\smss.exe	492ea97a5e145707a87cd019f102042b.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\69ddcba757bf72f7d36c464c71f42baab150b2b9	492ea97a5e145707a87cd019f102042b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2860	schtasks.exe
2628	schtasks.exe
2676	schtasks.exe
2612	schtasks.exe
2772	schtasks.exe
2844	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	492ea97a5e145707a87cd019f102042b.exe
3020	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	492ea97a5e145707a87cd019f102042b.exe
Token: SeDebugPrivilege	3020	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3020	2996	492ea97a5e145707a87cd019f102042b.exe	36
PID 2996 wrote to memory of 3020	2996	492ea97a5e145707a87cd019f102042b.exe	36
PID 2996 wrote to memory of 3020	2996	492ea97a5e145707a87cd019f102042b.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\492ea97a5e145707a87cd019f102042b.exe
"C:\Users\Admin\AppData\Local\Temp\492ea97a5e145707a87cd019f102042b.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\QSVRMGMT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe

Filesize
1.1MB

MD5
afff480041adb4f2f1a9c77d7c8a1b30

SHA1
964697ca696284039e4466aa4797fb23310b940f

SHA256
4f6141552d0a963c7697942be0e75e8e6ce78c8aa302864f76d4b0581d3a079f

SHA512
f7fa176dcbf2916649f1b16578a0d502903397e1f7d36d4a8b50fb0e4218ac9c43933a2b9bf67b2a054079083888294178eb3dd473e82777836bf283a97244c7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe

Filesize
884KB

MD5
d4a6be44e17933c02d9cafba7a3a2453

SHA1
ec00c31f21cc8736aa7d803898458c2a1b515e07

SHA256
7fe81e24ac7a85f426e708022d3ade21479e7efdc6a94a98950def80d01de32f

SHA512
00897262b76fb6fbd0f0415e86593be76195f3ca7cda00b47830ad2facfa799c30191ad0b83930b1aa565c200d6f6761cd3cafc4762d863bc8f3c571387d96e4

Download Submit
C:\Users\Default\dllhost.exe

Filesize
628KB

MD5
f84f07817990c5414e06f806f30394f2

SHA1
a5d9033414324f0cfab8719b787574d85a480703

SHA256
7efe4cf105e913c25dee0d6c7bf282f32abe8b83201fc7da6dc4f07c5f4fd6be

SHA512
f2766d3a7cc8e69290febc358e913d521ee97e05c16452d581f8762d3c5b207fe52f43d4fe42efd5d6b44e221001b7d4c09c2e87ceb842d21c66207c9d7cbcff

Download Submit
memory/2996-0-0x00000000000D0000-0x000000000020E000-memory.dmp

Filesize
1.2MB

Download
memory/2996-1-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2996-24-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-25-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-26-0x000000001A7D0000-0x000000001A850000-memory.dmp

Filesize
512KB

Download
memory/3020-23-0x0000000000260000-0x000000000039E000-memory.dmp

Filesize
1.2MB

Download
memory/3020-27-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads