dcrat | a3c2b70ef27805fbc7eaf588860f68000b7060b253817331db53b30dd77bc440

General

Target

56452dc78822885d0a2512783227f1dd.exe
Size

1.6MB
MD5

56452dc78822885d0a2512783227f1dd
SHA1

25f44f44a36aeba660e5d919d54078d722635b68
SHA256

a3c2b70ef27805fbc7eaf588860f68000b7060b253817331db53b30dd77bc440
SHA512

b281bdf4835ebf7a80ce308ef96e62ed0039b2deb74ae552653d3642b50e135fa004553c1897c76e8958633531c1834580b02246b48a1888292b4ba071b7ca9d
SSDEEP

24576:I2G/nvxW3WcQdm0INy7ki6HAYWbNAtjrpMlcOV+3xNFTG+FWx+4S:IbA3IwC7h6HIAtltxDG+JJ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023140-10.dat	dcrat
behavioral2/memory/1020-12-0x00000000005E0000-0x0000000000714000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	reviewhostperfCommonfonthostperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	56452dc78822885d0a2512783227f1dd.exe

Executes dropped EXE 2 IoCs

pid	Process
1020	reviewhostperfCommonfonthostperf.exe
520	backgroundTaskHost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\vbssysprep\backgroundTaskHost.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\vbssysprep\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\IdCtrls\lsass.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\IdCtrls\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\AboveLockAppHost\lsass.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\AboveLockAppHost\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\SimCfg\SppExtComObj.exe	reviewhostperfCommonfonthostperf.exe
File created	C:\Windows\System32\SimCfg\e1ef82546f0b02b7e974f28047f3788b1128cce1	reviewhostperfCommonfonthostperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2284	schtasks.exe
3428	schtasks.exe
3636	schtasks.exe
4448	schtasks.exe
2848	schtasks.exe
2964	schtasks.exe
1340	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	56452dc78822885d0a2512783227f1dd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1020	reviewhostperfCommonfonthostperf.exe
1020	reviewhostperfCommonfonthostperf.exe
1020	reviewhostperfCommonfonthostperf.exe
520	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	reviewhostperfCommonfonthostperf.exe
Token: SeDebugPrivilege	520	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 816	3120	56452dc78822885d0a2512783227f1dd.exe	91
PID 3120 wrote to memory of 816	3120	56452dc78822885d0a2512783227f1dd.exe	91
PID 3120 wrote to memory of 816	3120	56452dc78822885d0a2512783227f1dd.exe	91
PID 816 wrote to memory of 4332	816	WScript.exe	92
PID 816 wrote to memory of 4332	816	WScript.exe	92
PID 816 wrote to memory of 4332	816	WScript.exe	92
PID 4332 wrote to memory of 1020	4332	cmd.exe	94
PID 4332 wrote to memory of 1020	4332	cmd.exe	94
PID 1020 wrote to memory of 4448	1020	reviewhostperfCommonfonthostperf.exe	97
PID 1020 wrote to memory of 4448	1020	reviewhostperfCommonfonthostperf.exe	97
PID 1020 wrote to memory of 2848	1020	reviewhostperfCommonfonthostperf.exe	99
PID 1020 wrote to memory of 2848	1020	reviewhostperfCommonfonthostperf.exe	99
PID 1020 wrote to memory of 2964	1020	reviewhostperfCommonfonthostperf.exe	101
PID 1020 wrote to memory of 2964	1020	reviewhostperfCommonfonthostperf.exe	101
PID 1020 wrote to memory of 1340	1020	reviewhostperfCommonfonthostperf.exe	103
PID 1020 wrote to memory of 1340	1020	reviewhostperfCommonfonthostperf.exe	103
PID 1020 wrote to memory of 2284	1020	reviewhostperfCommonfonthostperf.exe	105
PID 1020 wrote to memory of 2284	1020	reviewhostperfCommonfonthostperf.exe	105
PID 1020 wrote to memory of 3428	1020	reviewhostperfCommonfonthostperf.exe	107
PID 1020 wrote to memory of 3428	1020	reviewhostperfCommonfonthostperf.exe	107
PID 1020 wrote to memory of 3636	1020	reviewhostperfCommonfonthostperf.exe	109
PID 1020 wrote to memory of 3636	1020	reviewhostperfCommonfonthostperf.exe	109
PID 1020 wrote to memory of 520	1020	reviewhostperfCommonfonthostperf.exe	111
PID 1020 wrote to memory of 520	1020	reviewhostperfCommonfonthostperf.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\56452dc78822885d0a2512783227f1dd.exe
"C:\Users\Admin\AppData\Local\Temp\56452dc78822885d0a2512783227f1dd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewhostperfCommon\vQAgT2wcLkn.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewhostperfCommon\kPEri9B5nQhmZuDpCB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe
      "C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "sysmon" /sc ONLOGON /tr "'C:\Documents and Settings\sysmon.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4448
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\vbssysprep\backgroundTaskHost.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2848
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2964
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\IdCtrls\lsass.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1340
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\AboveLockAppHost\lsass.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2284
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\csrss.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3428
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\SimCfg\SppExtComObj.exe'" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3636
    - - C:\Windows\System32\vbssysprep\backgroundTaskHost.exe
        
        "C:\Windows\System32\vbssysprep\backgroundTaskHost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\reviewhostperfCommon\kPEri9B5nQhmZuDpCB.bat

Filesize
62B

MD5
a48389bde68f6d990898fc9a495edf8a

SHA1
ce74da6d64b009f27dc7ed8f0377881f5c7a716f

SHA256
186d091773a7cebbb5aa0a213d8ed96faeb5e714f7242e97f19ebe61baac9e7a

SHA512
41ec3e7d778beacfcbdbdb5fe3fd22a84fd9c109dd5741f5526dc938cc8a66f304016ccdb66eeebccbbbc01c11c818ac3699945676c3af3c10d1c0c85d384da9

Download Submit
C:\reviewhostperfCommon\reviewhostperfCommonfonthostperf.exe

Filesize
1.2MB

MD5
1c5beacf795033142fa3ed081ada1b30

SHA1
2e38208dfd2bf4b52e82359cd5101d08667e5b4c

SHA256
82c160832568258001ad498291a7c3b6f0500bdd1f93153d8ae1b0e3b9033e44

SHA512
42540ac45358cbaf44d7148dd6f64dc9cd45ccdcf50b3550c1c02eb9e2e1098f05d92f3630abdee4e6d9bed35c389768e98680fd7a406a7d35c09abe5f8e7634

Download Submit
C:\reviewhostperfCommon\vQAgT2wcLkn.vbe

Filesize
215B

MD5
8bbffc54f76d877b85a862d4d8c31d46

SHA1
de9514cbd5f272d4e38eff043dadeb5bfd0f5deb

SHA256
064700c9dc9db339fa6664762ad7c74068131c1a197c1e719a032612c36d252e

SHA512
ed16d49c8533350d11bb32d343bd83fc96565c97b3e3faa5a6f6d6c90a85e185c7b7247c716d147e21fc351d765044260c17ae16799afd59a6b3426d1dd2dd4d

Download Submit
memory/520-41-0x00007FF929D50000-0x00007FF92A811000-memory.dmp

Filesize
10.8MB

Download
memory/520-42-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/520-44-0x00007FF929D50000-0x00007FF92A811000-memory.dmp

Filesize
10.8MB

Download
memory/1020-12-0x00000000005E0000-0x0000000000714000-memory.dmp

Filesize
1.2MB

Download
memory/1020-13-0x00007FF929D50000-0x00007FF92A811000-memory.dmp

Filesize
10.8MB

Download
memory/1020-14-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/1020-40-0x00007FF929D50000-0x00007FF92A811000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads