dcrat | cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68

General

Target

5adfa60026465144e6410fab3f714d2e.exe
Size

1.4MB
MD5

5adfa60026465144e6410fab3f714d2e
SHA1

daa4b6471384b111da3d580f9c41ceabed9dbd15
SHA256

cef243d8fa4ef4cb108c2cabbf0a3b17dd02aea213776351720612dc69669e68
SHA512

2589ca8deda6fd755bca15dca36339e9d56c9fab18145f3632e440eeaba14f0e400e9f18bf6a0f8471eef76ce98759af9d85c11c1bfce09cf8c50a277406ca19
SSDEEP

24576:U2G/nvxW3Ww0tl3RIlDkd7nbq/uqjcUvuqs/b37CwPhNkxf+4z:UbA30lgy7nbq/9SqsaaNtw

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exe5adfa60026465144e6410fab3f714d2e.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
968	schtasks.exe
3780	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	5adfa60026465144e6410fab3f714d2e.exe
2052	schtasks.exe
4960	schtasks.exe
1228	schtasks.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	980	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe	dcrat
behavioral2/memory/1328-12-0x0000000000C50000-0x0000000000D72000-memory.dmp	dcrat
C:\Users\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reviewDriverCrtFontcrtnet.exe5adfa60026465144e6410fab3f714d2e.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	reviewDriverCrtFontcrtnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	5adfa60026465144e6410fab3f714d2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exefontdrvhost.exe

pid process

1328 reviewDriverCrtFontcrtnet.exe
1172 fontdrvhost.exe

pid	process
1328	reviewDriverCrtFontcrtnet.exe
1172	fontdrvhost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Documents and Settings\\sysmon.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\""	reviewDriverCrtFontcrtnet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Documents and Settings\\fontdrvhost.exe\""	reviewDriverCrtFontcrtnet.exe

Drops file in Windows directory 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\RuntimeBroker.exe	reviewDriverCrtFontcrtnet.exe
File created	C:\Windows\Downloaded Program Files\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	reviewDriverCrtFontcrtnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

968 schtasks.exe
2052 schtasks.exe
4960 schtasks.exe
1228 schtasks.exe
3780 schtasks.exe

pid	process
968	schtasks.exe
2052	schtasks.exe
4960	schtasks.exe
1228	schtasks.exe
3780	schtasks.exe

Modifies registry class 1 IoCs

Processes:

5adfa60026465144e6410fab3f714d2e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	5adfa60026465144e6410fab3f714d2e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

reviewDriverCrtFontcrtnet.exefontdrvhost.exe

pid process

1328 reviewDriverCrtFontcrtnet.exe
1328 reviewDriverCrtFontcrtnet.exe
1172 fontdrvhost.exe
1172 fontdrvhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewDriverCrtFontcrtnet.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 1328 reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege 1172 fontdrvhost.exe

pid	process
1328	reviewDriverCrtFontcrtnet.exe
1328	reviewDriverCrtFontcrtnet.exe
1172	fontdrvhost.exe
1172	fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	1328	reviewDriverCrtFontcrtnet.exe
Token: SeDebugPrivilege	1172	fontdrvhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5adfa60026465144e6410fab3f714d2e.exeWScript.execmd.exereviewDriverCrtFontcrtnet.exe

description	pid	process	target process
PID 4604 wrote to memory of 3028	4604	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 4604 wrote to memory of 3028	4604	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 4604 wrote to memory of 3028	4604	5adfa60026465144e6410fab3f714d2e.exe	WScript.exe
PID 3028 wrote to memory of 1612	3028	WScript.exe	cmd.exe
PID 3028 wrote to memory of 1612	3028	WScript.exe	cmd.exe
PID 3028 wrote to memory of 1612	3028	WScript.exe	cmd.exe
PID 1612 wrote to memory of 1328	1612	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 1612 wrote to memory of 1328	1612	cmd.exe	reviewDriverCrtFontcrtnet.exe
PID 1328 wrote to memory of 1172	1328	reviewDriverCrtFontcrtnet.exe	fontdrvhost.exe
PID 1328 wrote to memory of 1172	1328	reviewDriverCrtFontcrtnet.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5adfa60026465144e6410fab3f714d2e.exe
"C:\Users\Admin\AppData\Local\Temp\5adfa60026465144e6410fab3f714d2e.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewDriverCrt\GqZ4Z.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewDriverCrt\pFx5CwZioohZPln3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe
      "C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Documents and Settings\fontdrvhost.exe
        
        "C:\Documents and Settings\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Documents and Settings\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\fontdrvhost.exe

Filesize
832KB

MD5
91efcd35d2884eab62c00aa1d62ca146

SHA1
c804b789b738a64a4fc1138ed4c4b8adcf11b10f

SHA256
19c949eba09e3b1b11d4b021d9ffaf3aea03f74f6ce12c64e210d22fd5f4c5e6

SHA512
74e0acdd234b718d74fcc196e8c931f606ca42c58e030ed72e05365a472b3da9776a9b55d04dcfabefcab72fa9971a340415b7e46e3d185599a0bd85e163e3ff

Download Submit
C:\reviewDriverCrt\GqZ4Z.vbe

Filesize
208B

MD5
d3dbfd5aab30c1b227b55ca29a35d3c1

SHA1
a9fde98b66f84d5f397fd255bba7561623de81ae

SHA256
021991da8cd94174c924b2f333a86891aceabb9daf7c71f86ad38f468d13595d

SHA512
e0eb3a83c997b93f706dcb0491112fbf4af9db3729540fc288d07ba20a7eac7b9512b508121a8d7cfae78ced3c0474feb7c8c1df24d51a97b10c1698e577b0aa

Download Submit
C:\reviewDriverCrt\pFx5CwZioohZPln3.bat

Filesize
50B

MD5
9e3d0a8b26cd56f528bae72fe15d8b3d

SHA1
ba07c007fe32d8917d71ec92178ebbedda3660b8

SHA256
1d9fbfd732d71dfadcc87f3082a629bb76fdc9b53c1f8d5b0ba244a3753e98b3

SHA512
ae48350bb2eff19a8fdedec36d97ad5de9ff53944d1e3bc77a7ca8e633e371cd7a9bc74be1079a3f05289cd1c8a0931597ab9c76502563e7bbe857fa1ab78078

Download Submit
C:\reviewDriverCrt\reviewDriverCrtFontcrtnet.exe

Filesize
1.1MB

MD5
a95f2e917a44acbcef8d69de421a73ea

SHA1
a186188206c690a9b5414280dd214a0904e79a82

SHA256
1ba6af47c93bb3a9610941f3d8cd1086e34187e35af34801745922589f74c57d

SHA512
fd538b2de8556d2e1d3ef7a71f1edb15cd2aba26f7d40727c340e85699c7327aa1a96fe95a4bad887ffab43cd43581ce26fb006767e7802f6554574dbd1c6309

Download Submit
memory/1172-39-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/1172-38-0x00007FFCC3660000-0x00007FFCC4121000-memory.dmp

Filesize
10.8MB

Download
memory/1172-40-0x00007FFCC3660000-0x00007FFCC4121000-memory.dmp

Filesize
10.8MB

Download
memory/1172-41-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/1172-43-0x00007FFCC3660000-0x00007FFCC4121000-memory.dmp

Filesize
10.8MB

Download
memory/1328-14-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/1328-13-0x00007FFCC3660000-0x00007FFCC4121000-memory.dmp

Filesize
10.8MB

Download
memory/1328-37-0x00007FFCC3660000-0x00007FFCC4121000-memory.dmp

Filesize
10.8MB

Download
memory/1328-12-0x0000000000C50000-0x0000000000D72000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads