dcrat | 0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc

General

Target

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
Size

1.1MB
MD5

48e5ef4a0ca234c29ceecab25fe23d91
SHA1

058fec1d069ba2dd6f7ef3af7ff65066b5b9f7b9
SHA256

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc
SHA512

6ba2d8666b43f80e86e1fbf8f4a694d1fe165d86d467ace38094adc585f77a68665dfa7ea7f2dc55ea8977971926b0cc947f410738e8670d8b344471f07dd65b
SSDEEP

24576:U2G/nvxW3Ww0tLmbqJB7ioiB9yzs9/Hi+i01ZxtYZH:UbA30Lmby7Or9vDE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3004	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3004	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ReviewHost\brokercrt.exe	dcrat
behavioral1/memory/2936-13-0x00000000002F0000-0x00000000003C6000-memory.dmp	dcrat
behavioral1/memory/2936-15-0x0000000000660000-0x00000000006E0000-memory.dmp	dcrat
behavioral1/memory/2380-37-0x0000000000B80000-0x0000000000C56000-memory.dmp	dcrat
behavioral1/memory/2380-38-0x000000001B070000-0x000000001B0F0000-memory.dmp	dcrat
behavioral1/memory/2380-40-0x000000001B070000-0x000000001B0F0000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

brokercrt.exeSystem.exe

pid process

2936 brokercrt.exe
2380 System.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2864 cmd.exe
2864 cmd.exe

pid	process
2864	cmd.exe
2864	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

brokercrt.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	brokercrt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	brokercrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1960	schtasks.exe
2268	schtasks.exe
2832	schtasks.exe
1704	schtasks.exe
2256	schtasks.exe
1692	schtasks.exe
2188	schtasks.exe
2632	schtasks.exe
2568	schtasks.exe
2428	schtasks.exe
2468	schtasks.exe
2420	schtasks.exe
2608	schtasks.exe
2552	schtasks.exe
1252	schtasks.exe
2656	schtasks.exe
2752	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

brokercrt.exeSystem.exe

pid	process
2936	brokercrt.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe
2380	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

brokercrt.exeSystem.exe

description pid process

Token: SeDebugPrivilege 2936 brokercrt.exe
Token: SeDebugPrivilege 2380 System.exe

description	pid	process
Token: SeDebugPrivilege	2936	brokercrt.exe
Token: SeDebugPrivilege	2380	System.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exeWScript.execmd.exebrokercrt.execmd.exe

description	pid	process	target process
PID 2136 wrote to memory of 476	2136	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 2136 wrote to memory of 476	2136	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 2136 wrote to memory of 476	2136	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 2136 wrote to memory of 476	2136	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 476 wrote to memory of 2864	476	WScript.exe	cmd.exe
PID 476 wrote to memory of 2864	476	WScript.exe	cmd.exe
PID 476 wrote to memory of 2864	476	WScript.exe	cmd.exe
PID 476 wrote to memory of 2864	476	WScript.exe	cmd.exe
PID 2864 wrote to memory of 2936	2864	cmd.exe	brokercrt.exe
PID 2864 wrote to memory of 2936	2864	cmd.exe	brokercrt.exe
PID 2864 wrote to memory of 2936	2864	cmd.exe	brokercrt.exe
PID 2864 wrote to memory of 2936	2864	cmd.exe	brokercrt.exe
PID 2936 wrote to memory of 2164	2936	brokercrt.exe	cmd.exe
PID 2936 wrote to memory of 2164	2936	brokercrt.exe	cmd.exe
PID 2936 wrote to memory of 2164	2936	brokercrt.exe	cmd.exe
PID 2164 wrote to memory of 2336	2164	cmd.exe	w32tm.exe
PID 2164 wrote to memory of 2336	2164	cmd.exe	w32tm.exe
PID 2164 wrote to memory of 2336	2164	cmd.exe	w32tm.exe
PID 2164 wrote to memory of 2380	2164	cmd.exe	System.exe
PID 2164 wrote to memory of 2380	2164	cmd.exe	System.exe
PID 2164 wrote to memory of 2380	2164	cmd.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
"C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\ReviewHost\brokercrt.exe
"C:\ReviewHost\brokercrt.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vY3w7treqw.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2336

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\ReviewHost\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ReviewHost\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\ReviewHost\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe
Filesize
216B

MD5
7b4906d1cb87de73f115581dcaf9e232

SHA1
0e02caa3ce91fc59267606430158c7d3e112b700

SHA256
9c3b3e61ce002f1d33d5228dbbf535400f16646f1d83747251ff7849c5a32495

SHA512
5f6f967a49c329a6946bbe0c2d43ad4751d9a914ddf244c1055fb0678a1982f60401dbdbde153b2027652e23eb83e2ac7d9be77a897d5023435e3aef65aabb96

Download Submit
C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat
Filesize
29B

MD5
17370288e4e03fad288831ae1f887483

SHA1
8afdd43b5b01ee9517981e8e285113e2a08305f2

SHA256
ab7fe15930980a0b150427e5a7bda9234292fa63e6358654ea2e356ddbceaf66

SHA512
00e0253a0ca8ac0e8f44b716ed4357ac4790d2809172fdc5385607a888449e03f634444ac8e8689615a0ad7ed162f6b42ec4e0b2aecea532c66575d047f22162

Download Submit
C:\ReviewHost\brokercrt.exe
Filesize
828KB

MD5
96b975481850add8ccb0353227eceb87

SHA1
f201465c8e9eef2193c0023e5593f901d0c2a7f0

SHA256
0032fb8bb3e91a8063a769e8504814f02222448c01b61e3990b35316525057c9

SHA512
27a4100a0f3b8e859436859f2ed23207ce7d4236d42881b6d79b1591816864921a00d98693a60d6c9444dbefd95c3833bc86ec0a20953f9d3b249ea7f527b6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vY3w7treqw.bat
Filesize
238B

MD5
a5af3135531970a77c9a6cc4e55ec941

SHA1
a20b42ae81248707a245419ff914c701b795a6ba

SHA256
d5fad4dddb199a3faf92794044d5eecf8af9ee9415b78ee7d7165a76b9b42d5e

SHA512
8bf40a5d4d52d7ecfd9dce50cc157b6e629092b433207cde70fb5c75710da2bf0e5f9e809d9cc044ed5df0823b89cbde5b939f0681454993ff4889ae39d2b754

Download Submit
memory/2380-37-0x0000000000B80000-0x0000000000C56000-memory.dmp

Filesize
856KB

Download
memory/2380-36-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-38-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2380-39-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-40-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2936-15-0x0000000000660000-0x00000000006E0000-memory.dmp

Filesize
512KB

Download
memory/2936-14-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-33-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-13-0x00000000002F0000-0x00000000003C6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads