dcrat | 67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

Analysis

max time kernel
128s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222-main/Build.exe
Size

1.8MB
MD5

9886d20dd6f3d896861cc5f8ea0ca84b
SHA1

96ab3affa0279d5795a29f3e1ecae37546b8bb11
SHA256

56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
SHA512

02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079
SSDEEP

49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

Build.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	Build.exe
3408	schtasks.exe
4420	schtasks.exe
4456	schtasks.exe
1488	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Connections Rontime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\", \"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\", \"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\services.exe\""	Connections Rontime Broker.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe	dcrat
behavioral2/memory/3616-12-0x00000000000C0000-0x0000000000242000-memory.dmp	dcrat
C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Build.exeWScript.exeConnections Rontime Broker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	Connections Rontime Broker.exe

Executes dropped EXE 2 IoCs

Processes:

Connections Rontime Broker.exeRuntimeBroker.exe

pid process

3616 Connections Rontime Broker.exe
1916 RuntimeBroker.exe

pid	process
3616	Connections Rontime Broker.exe
1916	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Connections Rontime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Documents and Settings\\conhost.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	Connections Rontime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Documents and Settings\\conhost.exe\""	Connections Rontime Broker.exe

Drops file in System32 directory 2 IoCs

Processes:

Connections Rontime Broker.exe

description	ioc	process
File created	C:\Windows\System32\twinapi.appcore\taskhostw.exe	Connections Rontime Broker.exe
File created	C:\Windows\System32\twinapi.appcore\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	Connections Rontime Broker.exe

Drops file in Windows directory 2 IoCs

Processes:

Connections Rontime Broker.exe

description	ioc	process
File created	C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	Connections Rontime Broker.exe
File created	C:\Windows\appcompat\encapsulation\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	Connections Rontime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4420 schtasks.exe
4456 schtasks.exe
1488 schtasks.exe
3408 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Build.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings Build.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Connections Rontime Broker.exe

pid process

3616 Connections Rontime Broker.exe
3616 Connections Rontime Broker.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Connections Rontime Broker.exe

description pid process

Token: SeDebugPrivilege 3616 Connections Rontime Broker.exe

pid	process
4420	schtasks.exe
4456	schtasks.exe
1488	schtasks.exe
3408	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings	Build.exe

pid	process
3616	Connections Rontime Broker.exe
3616	Connections Rontime Broker.exe

description	pid	process
Token: SeDebugPrivilege	3616	Connections Rontime Broker.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Build.exeWScript.execmd.exeConnections Rontime Broker.exe

description	pid	process	target process
PID 4180 wrote to memory of 440	4180	Build.exe	WScript.exe
PID 4180 wrote to memory of 440	4180	Build.exe	WScript.exe
PID 4180 wrote to memory of 440	4180	Build.exe	WScript.exe
PID 440 wrote to memory of 1496	440	WScript.exe	cmd.exe
PID 440 wrote to memory of 1496	440	WScript.exe	cmd.exe
PID 440 wrote to memory of 1496	440	WScript.exe	cmd.exe
PID 1496 wrote to memory of 3616	1496	cmd.exe	Connections Rontime Broker.exe
PID 1496 wrote to memory of 3616	1496	cmd.exe	Connections Rontime Broker.exe
PID 3616 wrote to memory of 3408	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 3408	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 4420	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 4420	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 4456	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 4456	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 1488	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 1488	3616	Connections Rontime Broker.exe	schtasks.exe
PID 3616 wrote to memory of 1916	3616	Connections Rontime Broker.exe	RuntimeBroker.exe
PID 3616 wrote to memory of 1916	3616	Connections Rontime Broker.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
      "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3408
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\twinapi.appcore\taskhostw.exe'" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4420
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4456
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1488
    - - C:\Windows\appcompat\encapsulation\RuntimeBroker.exe
        
        "C:\Windows\appcompat\encapsulation\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe

Filesize
1.5MB

MD5
413be497be904c09aa8bfe8f0182a949

SHA1
9c5a69c83dbe2629290823d33c0afbce6d37f7bf

SHA256
6cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21

SHA512
01d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe

Filesize
273B

MD5
559cdf34199c7353804d3d3550ccc3a3

SHA1
43da9eae85816d75b10f537452a9b5c2ef9ae1f6

SHA256
c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108

SHA512
a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat

Filesize
108B

MD5
d5f5523af702e22a702e95fadf058335

SHA1
e495f695eed69a9af60dd6303b20ce0df82cadbb

SHA256
5ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3

SHA512
f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6

Download Submit
C:\Windows\appcompat\encapsulation\RuntimeBroker.exe

Filesize
833KB

MD5
f947ecce0506d3b47f920c9e7d53c0b1

SHA1
9ba390f4adf3a66531b3c98028edc6fbffeea54d

SHA256
da497cdcf03238e1ca3f83c767ee5931950141f6af7385714674e886d70c3273

SHA512
90fd9c76541df344a99c21d8dfecd3b467755b69ab5e550efb2095820c37943c77e04c7275cc130d205a17f58577a325bbc4c98eb886136caf88419ea36e7c23

Download Submit
memory/3616-12-0x00000000000C0000-0x0000000000242000-memory.dmp

Filesize
1.5MB

Download
memory/3616-13-0x00007FF900F20000-0x00007FF9019E1000-memory.dmp

Filesize
10.8MB

Download
memory/3616-14-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

Filesize
64KB

Download
memory/3616-33-0x00007FF900F20000-0x00007FF9019E1000-memory.dmp

Filesize
10.8MB

Download