dcrat | 3c5af308bf4ddad79422caea4295d14ae2e5628a600ac7ddcc2a77a0a070d207

General

Target

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Size

3.0MB
MD5

2600cbb9ad38c10aca6ac4a91900cc84
SHA1

f670e02edea5048e57c089ae4042f1f00a5790f0
SHA256

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847
SHA512

06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b
SSDEEP

49152:0f2OK9jJIoFe/S7zrfL3pmRk/5JaANZr/LHFTYUjy3/q3KgW:19jlw8rfjpmRc3/ZvlTtjVj

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2500	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2500	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000AE0000-0x0000000000D68000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe	dcrat
behavioral1/memory/1480-34-0x0000000000960000-0x0000000000BE8000-memory.dmp	dcrat
behavioral1/memory/1480-36-0x000000001AEB0000-0x000000001AF30000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1480 services.exe

pid	process
1480	services.exe

Drops file in Program Files directory 7 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\lua\spoolsv.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\VideoLAN\VLC\lua\f3b6ecef712a24	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Drops file in Windows directory 2 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\audiodg.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\ServiceProfiles\LocalService\42af1c969fbb7b	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2700	schtasks.exe
2884	schtasks.exe
1568	schtasks.exe
2480	schtasks.exe
400	schtasks.exe
1628	schtasks.exe
2864	schtasks.exe
2880	schtasks.exe
2620	schtasks.exe
1620	schtasks.exe
2604	schtasks.exe
2456	schtasks.exe
2712	schtasks.exe
2468	schtasks.exe
1716	schtasks.exe
2616	schtasks.exe
2564	schtasks.exe
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exeservices.exe

pid	process
2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe
1480	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Token: SeDebugPrivilege	1480	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.execmd.exe

description	pid	process	target process
PID 2952 wrote to memory of 1636	2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 2952 wrote to memory of 1636	2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 2952 wrote to memory of 1636	2952	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 1636 wrote to memory of 2624	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 2624	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 2624	1636	cmd.exe	w32tm.exe
PID 1636 wrote to memory of 1480	1636	cmd.exe	services.exe
PID 1636 wrote to memory of 1480	1636	cmd.exe	services.exe
PID 1636 wrote to memory of 1480	1636	cmd.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
"C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\brmuUhowEp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2624

C:\Program Files\Windows Portable Devices\services.exe
"C:\Program Files\Windows Portable Devices\services.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
3.0MB

MD5
2600cbb9ad38c10aca6ac4a91900cc84

SHA1
f670e02edea5048e57c089ae4042f1f00a5790f0

SHA256
e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847

SHA512
06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\brmuUhowEp.bat

Filesize
219B

MD5
179e9d507724d86e46cf529bd15f49b0

SHA1
b2d191ff1772fb7d14e5416fabecc311f87ee874

SHA256
49462656acb668aeb1b2fe7264c6226a139d976cc886a93b2c787a37e4f5f6e0

SHA512
db8a1a90f19d7d860de9aa7f149c2bfaba4c7ce706510a9410245d7193931e30a9e2b74932960babc3786aac4a138d795abc1d6a5ba7baae19625ccb5798fdcb

Download Submit
memory/1480-40-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-39-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/1480-38-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-37-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1480-36-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/1480-35-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-34-0x0000000000960000-0x0000000000BE8000-memory.dmp

Filesize
2.5MB

Download
memory/2952-6-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2952-31-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-11-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2952-12-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2952-13-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2952-9-0x00000000021E0000-0x00000000021EE000-memory.dmp

Filesize
56KB

Download
memory/2952-8-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2952-10-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/2952-7-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2952-0-0x0000000000AE0000-0x0000000000D68000-memory.dmp

Filesize
2.5MB

Download
memory/2952-5-0x0000000002170000-0x00000000021C6000-memory.dmp

Filesize
344KB

Download
memory/2952-4-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/2952-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2952-2-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2952-1-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads