dcrat | cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68

General

Target

5adfa60026465144e6410fab3f714d2e.exe
Size

1.4MB
MD5

5adfa60026465144e6410fab3f714d2e
SHA1

daa4b6471384b111da3d580f9c41ceabed9dbd15
SHA256

cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68
SHA512

2589ca8deda6fd755bca15dca36339e9d56c9fab18145f3632e440eeaba14f0e400e9f18bf6a0f8471eef76ce98759af9d85c11c1bfce09cf8c50a277406ca19
SSDEEP

24576:U2G/nvxW3Ww0tl3RIlDkd7nbq/uqjcUvuqs/b37CwPhNkxf+4z:UbA30lgy7nbq/9SqsaaNtw

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2816	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
behavioral1/memory/2848-13-0x00000000010B0000-0x00000000011D2000-memory.dmp	dcrat
C:\Windows\System32\vaultsvc\spoolsv.exe	dcrat
behavioral1/memory/2332-31-0x000000001B060000-0x000000001B0E0000-memory.dmp	dcrat
behavioral1/memory/2332-28-0x0000000000DE0000-0x0000000000F02000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.execonhost.exe

pid process

2848 reviewDriverCrtFontcrtnet.exe
2332 conhost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
2708 cmd.exe

pid	process
2848	reviewDriverCrtFontcrtnet.exe
2332	conhost.exe

pid	process
2708	cmd.exe
2708	cmd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\api-ms-win-crt-filesystem-l1-1-0\\conhost.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\KBDSF\\lsass.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\vaultsvc\\spoolsv.exe\""	reviewDriverCrtFontcrtnet.exe

Drops file in System32 directory 7 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\088424020bedd6b28ac7fd22ee35dcd7322895ce	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\KBDSF\lsass.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\KBDSF\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\vaultsvc\spoolsv.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\vaultsvc\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\conhost.exe	reviewDriverCrtFontcrtnet.exe
File opened for modification	C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\conhost.exe	reviewDriverCrtFontcrtnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2652 schtasks.exe
2608 schtasks.exe
772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.execonhost.exe

pid process

2848 reviewDriverCrtFontcrtnet.exe
2332 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.execonhost.exe

description pid process

Token: SeDebugPrivilege 2848 reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege 2332 conhost.exe

pid	process
2652	schtasks.exe
2608	schtasks.exe
772	schtasks.exe

pid	process
2848	reviewDriverCrtFontcrtnet.exe
2332	conhost.exe

description	pid	process
Token: SeDebugPrivilege	2848	reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege	2332	conhost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5adfa60026465144e6410fab3f714d2e.exeWScript.execmd.exereviewDriverCrtFontcrtnet.exe

description	pid	process	target process
PID 2328 wrote to memory of 2536	2328	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 2328 wrote to memory of 2536	2328	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 2328 wrote to memory of 2536	2328	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 2328 wrote to memory of 2536	2328	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 2536 wrote to memory of 2708	2536	WScript.exe	cmd.exe
PID 2536 wrote to memory of 2708	2536	WScript.exe	cmd.exe
PID 2536 wrote to memory of 2708	2536	WScript.exe	cmd.exe
PID 2536 wrote to memory of 2708	2536	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2848	2708	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 2708 wrote to memory of 2848	2708	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 2708 wrote to memory of 2848	2708	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 2708 wrote to memory of 2848	2708	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 2848 wrote to memory of 2332	2848	reviewDriverCrtFontcrtnet.exe	conhost.exe
PID 2848 wrote to memory of 2332	2848	reviewDriverCrtFontcrtnet.exe	conhost.exe
PID 2848 wrote to memory of 2332	2848	reviewDriverCrtFontcrtnet.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5adfa60026465144e6410fab3f714d2e.exe
"C:\Users\Admin\AppData\Local\Temp\5adfa60026465144e6410fab3f714d2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewDriverCrt\GqZ4Z.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\reviewDriverCrt\pFx5CwZioohZPln3.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe
      "C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\conhost.exe
        
        "C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\KBDSF\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\vaultsvc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\vaultsvc\spoolsv.exe

Filesize
1024KB

MD5
953fd916bc94dd765e78d1159f298f23

SHA1
d401f8c86ed3e0e3b1d6c9c74f30597a874dd4c5

SHA256
f543323243d82b3640707724d045e07bd9bb6453d958e7fe0a782a39d3587804

SHA512
527ab7dbe8dc286b7f93f5249012f9cf53bab6694e4d9fc426492df570e182e2a02d785eee15c227d6c4fda98618c08764043bb8056abe8a5bbe9cfd27870233

Download Submit
C:\reviewDriverCrt\GqZ4Z.vbe

Filesize
208B

MD5
d3dbfd5aab30c1b227b55ca29a35d3c1

SHA1
a9fde98b66f84d5f397fd255bba7561623de81ae

SHA256
021991da8cd94174c924b2f333a86891aceabb9daf7c71f86ad38f468d13595d

SHA512
e0eb3a83c997b93f706dcb0491112fbf4af9db3729540fc288d07ba20a7eac7b9512b508121a8d7cfae78ced3c0474feb7c8c1df24d51a97b10c1698e577b0aa

Download Submit
C:\reviewDriverCrt\pFx5CwZioohZPln3.bat

Filesize
50B

MD5
9e3d0a8b26cd56f528bae72fe15d8b3d

SHA1
ba07c007fe32d8917d71ec92178ebbedda3660b8

SHA256
1d9fbfd732d71dfadcc87f3082a629bb76fdc9b53c1f8d5b0ba244a3753e98b3

SHA512
ae48350bb2eff19a8fdedec36d97ad5de9ff53944d1e3bc77a7ca8e633e371cd7a9bc74be1079a3f05289cd1c8a0931597ab9c76502563e7bbe857fa1ab78078

Download Submit
\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

Filesize
1.1MB

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
memory/2332-31-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2332-30-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-28-0x0000000000DE0000-0x0000000000F02000-memory.dmp

Filesize
1.1MB

Download
memory/2332-32-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-33-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-15-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2848-14-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-29-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-13-0x00000000010B0000-0x00000000011D2000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads