dcrat | 72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

General

Target

72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
Size

1.5MB
MD5

8ebfb00f97e5120227605496dee1ba2d
SHA1

3c225ff088d0fde20c4f2908363909dcc8efdc8c
SHA256

72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e
SHA512

d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328
SSDEEP

24576:U+varIF+BiWM5bL6kxfV1dEX2GEOQpQcHZbEmdOpt6FLW3q9:U4arIcqJLhK2GEFScHD8OA3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1928	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1928	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1928	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1928	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	1928	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1928	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000E80000-0x0000000001010000-memory.dmp	dcrat
behavioral2/files/0x0007000000023232-25.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4084	schtasks.exe
1688	schtasks.exe
4648	schtasks.exe
3172	schtasks.exe
4536	schtasks.exe
3268	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
2268	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
Token: SeDebugPrivilege	2268	smss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2500	4980	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe	90
PID 4980 wrote to memory of 2500	4980	72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe	90
PID 2500 wrote to memory of 1464	2500	cmd.exe	92
PID 2500 wrote to memory of 1464	2500	cmd.exe	92
PID 2500 wrote to memory of 2268	2500	cmd.exe	96
PID 2500 wrote to memory of 2268	2500	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe
"C:\Users\Admin\AppData\Local\Temp\72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1464
- - C:\odt\smss.exe
    "C:\odt\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\suxlltqCa3.bat

Filesize
180B

MD5
6fa3b32519b6cf9b9a25df6f429c1086

SHA1
45649840a20034f89fb10185f601e67981044204

SHA256
780fd21d62e2d26f21aba9ca5331c09b1cdb14ec47259ab457e80148ab205832

SHA512
2395dd74eeabef07c9ced4aad5222e005908b23c025c67ec79e1c5174b676a56506e196186ddb0f738fb408454a497cfa43190a4118ff8d33ef30ab153362716

Download Submit
C:\odt\smss.exe

Filesize
1.5MB

MD5
8ebfb00f97e5120227605496dee1ba2d

SHA1
3c225ff088d0fde20c4f2908363909dcc8efdc8c

SHA256
72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

SHA512
d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328

Download Submit
memory/2268-30-0x00007FFB060A0000-0x00007FFB06B61000-memory.dmp

Filesize
10.8MB

Download
memory/2268-28-0x00007FFB060A0000-0x00007FFB06B61000-memory.dmp

Filesize
10.8MB

Download
memory/2268-27-0x00007FFB060A0000-0x00007FFB06B61000-memory.dmp

Filesize
10.8MB

Download
memory/4980-7-0x000000001C170000-0x000000001C180000-memory.dmp

Filesize
64KB

Download
memory/4980-12-0x000000001C220000-0x000000001C22E000-memory.dmp

Filesize
56KB

Download
memory/4980-8-0x000000001C180000-0x000000001C18C000-memory.dmp

Filesize
48KB

Download
memory/4980-0-0x0000000000E80000-0x0000000001010000-memory.dmp

Filesize
1.6MB

Download
memory/4980-9-0x000000001C190000-0x000000001C1A2000-memory.dmp

Filesize
72KB

Download
memory/4980-10-0x000000001C910000-0x000000001CE38000-memory.dmp

Filesize
5.2MB

Download
memory/4980-11-0x000000001C210000-0x000000001C21E000-memory.dmp

Filesize
56KB

Download
memory/4980-6-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/4980-22-0x00007FFB06480000-0x00007FFB06F41000-memory.dmp

Filesize
10.8MB

Download
memory/4980-5-0x000000001BC30000-0x000000001BC46000-memory.dmp

Filesize
88KB

Download
memory/4980-4-0x000000001C1C0000-0x000000001C210000-memory.dmp

Filesize
320KB

Download
memory/4980-3-0x000000001BB00000-0x000000001BB1C000-memory.dmp

Filesize
112KB

Download
memory/4980-2-0x000000001BC60000-0x000000001BC70000-memory.dmp

Filesize
64KB

Download
memory/4980-1-0x00007FFB06480000-0x00007FFB06F41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads