dcrat | 7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

General

Target

vxvault.net_5.exe
Size

1.1MB
MD5

6e6f8bc0dbceec859f9baaff0ebe2811
SHA1

495b4434e34bbf6c432718ee6fac880f16be49a0
SHA256

7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e
SHA512

aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7
SSDEEP

24576:U2G/nvxW3Ww0tkqV9bjWrJeQfBmAL6PLRr0UeJ:UbA30kqIJR/

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2340	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe	dcrat
behavioral1/memory/1552-12-0x0000000000810000-0x00000000008E6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeagentDllDhcp.exevxvault.net_5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	agentDllDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	vxvault.net_5.exe

Executes dropped EXE 2 IoCs

Processes:

agentDllDhcp.exeWmiPrvSE.exe

pid process

1552 agentDllDhcp.exe
4216 WmiPrvSE.exe

pid	process
1552	agentDllDhcp.exe
4216	WmiPrvSE.exe

Drops file in Program Files directory 5 IoCs

Processes:

agentDllDhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\24dbde2999530e	agentDllDhcp.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\csrss.exe	agentDllDhcp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\csrss.exe	agentDllDhcp.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\886983d96e3d3e	agentDllDhcp.exe

Drops file in Windows directory 2 IoCs

Processes:

agentDllDhcp.exe

description ioc process

File created C:\Windows\twain_32\5940a34987c991 agentDllDhcp.exe
File created C:\Windows\twain_32\dllhost.exe agentDllDhcp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\twain_32\5940a34987c991	agentDllDhcp.exe
File created	C:\Windows\twain_32\dllhost.exe	agentDllDhcp.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3460	schtasks.exe
4304	schtasks.exe
5032	schtasks.exe
388	schtasks.exe
64	schtasks.exe
1664	schtasks.exe
932	schtasks.exe
4772	schtasks.exe
4836	schtasks.exe
456	schtasks.exe
4920	schtasks.exe
2612	schtasks.exe
1732	schtasks.exe
728	schtasks.exe
2660	schtasks.exe
4224	schtasks.exe
3596	schtasks.exe
4496	schtasks.exe
3412	schtasks.exe
2148	schtasks.exe
4324	schtasks.exe

Modifies registry class 1 IoCs

Processes:

vxvault.net_5.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings vxvault.net_5.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

agentDllDhcp.exeWmiPrvSE.exe

pid process

1552 agentDllDhcp.exe
1552 agentDllDhcp.exe
1552 agentDllDhcp.exe
1552 agentDllDhcp.exe
1552 agentDllDhcp.exe
1552 agentDllDhcp.exe
4216 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentDllDhcp.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 1552 agentDllDhcp.exe
Token: SeDebugPrivilege 4216 WmiPrvSE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	vxvault.net_5.exe

pid	process
1552	agentDllDhcp.exe
1552	agentDllDhcp.exe
1552	agentDllDhcp.exe
1552	agentDllDhcp.exe
1552	agentDllDhcp.exe
1552	agentDllDhcp.exe
4216	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1552	agentDllDhcp.exe
Token: SeDebugPrivilege	4216	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

vxvault.net_5.exeWScript.execmd.exeagentDllDhcp.exe

description	pid	process	target process
PID 4584 wrote to memory of 368	4584	vxvault.net_5.exe	WScript.exe
PID 4584 wrote to memory of 368	4584	vxvault.net_5.exe	WScript.exe
PID 4584 wrote to memory of 368	4584	vxvault.net_5.exe	WScript.exe
PID 368 wrote to memory of 1532	368	WScript.exe	cmd.exe
PID 368 wrote to memory of 1532	368	WScript.exe	cmd.exe
PID 368 wrote to memory of 1532	368	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1552	1532	cmd.exe	agentDllDhcp.exe
PID 1532 wrote to memory of 1552	1532	cmd.exe	agentDllDhcp.exe
PID 1552 wrote to memory of 4216	1552	agentDllDhcp.exe	WmiPrvSE.exe
PID 1552 wrote to memory of 4216	1552	agentDllDhcp.exe	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vxvault.net_5.exe
"C:\Users\Admin\AppData\Local\Temp\vxvault.net_5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
      "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BlockComponentwebMonitordhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat

Filesize
50B

MD5
40763ae8cfc178ff43b09dbd8aeb8e24

SHA1
81c31ec6a3fb0ccb59bf4ef2e6653405cdc2534c

SHA256
7b94af95b84b86d3b7dedd796d45f4ece48521897bfbcda1049002ceb0f27f7c

SHA512
a63bc49760984ae681df2663fa0590660036bf4cddfdfa7f634bcd51147c8e94b7d973ef425716bdd58ccc812d44be6a0682636e6faab84f94756b5e97ecb359

Download Submit
C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe

Filesize
217B

MD5
1efe4b745c309f0d730c394a6d1bd25f

SHA1
8831671936036e79c4daa914d14455c8e2808081

SHA256
3dca4af9d3b59a3c498492bf9ddd94961df9f95d535836caa2b8ba710aa73f7e

SHA512
9c9a4292c96c6a727a7601831a6ec3f2c11968f898996c14c9bc7c1fb4ce66e9fffd2fabec13d9929ad220956263eecaf5c704833dd7f021a805a438f586ca39

Download Submit
C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
memory/1552-12-0x0000000000810000-0x00000000008E6000-memory.dmp

Filesize
856KB

Download
memory/1552-13-0x00007FFFAE260000-0x00007FFFAED21000-memory.dmp

Filesize
10.8MB

Download
memory/1552-14-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/1552-40-0x00007FFFAE260000-0x00007FFFAED21000-memory.dmp

Filesize
10.8MB

Download
memory/4216-41-0x00007FFFAE260000-0x00007FFFAED21000-memory.dmp

Filesize
10.8MB

Download
memory/4216-42-0x0000000001970000-0x0000000001980000-memory.dmp

Filesize
64KB

Download
memory/4216-44-0x00007FFFAE260000-0x00007FFFAED21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads