dcrat | 3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca

General

Target

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe
Size

1.1MB
MD5

97a02921ff06b071f3a85c0e8cc98a80
SHA1

9638ac7c260c4b02e66b16b2f23b048020aeb84b
SHA256

3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca
SHA512

6446cdbfccdeaa4f402e18b93bb41981ff55da2be3cff8190bc68a3f1228e0a15bb2c81a3c5b04901941c49749b10311a784d8692d1f18e5df93b2e7d1c84d3c
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbEG5jtTrn0BGL81k/cX47Ct9lzIquqyWWg+j:U2G/nvxW3Ww0tb5jtTrnKGL81IGhNWrj

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4076	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4076	schtasks.exe	94

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b84-10.dat	dcrat
behavioral2/memory/3808-13-0x00000000003A0000-0x0000000000476000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	containerBrowser.exe

Executes dropped EXE 2 IoCs

pid	Process
3808	containerBrowser.exe
2460	WaaSMedicAgent.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe	containerBrowser.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\38384e6a620884	containerBrowser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3180	schtasks.exe
3264	schtasks.exe
2052	schtasks.exe
4868	schtasks.exe
4104	schtasks.exe
1112	schtasks.exe
3104	schtasks.exe
4920	schtasks.exe
2368	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1476	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3808	containerBrowser.exe
2460	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	containerBrowser.exe
Token: SeDebugPrivilege	2460	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4080	1352	3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe	84
PID 1352 wrote to memory of 4080	1352	3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe	84
PID 1352 wrote to memory of 4080	1352	3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe	84
PID 4080 wrote to memory of 3560	4080	WScript.exe	95
PID 4080 wrote to memory of 3560	4080	WScript.exe	95
PID 4080 wrote to memory of 3560	4080	WScript.exe	95
PID 3560 wrote to memory of 3808	3560	cmd.exe	97
PID 3560 wrote to memory of 3808	3560	cmd.exe	97
PID 3808 wrote to memory of 2460	3808	containerBrowser.exe	108
PID 3808 wrote to memory of 2460	3808	containerBrowser.exe	108
PID 3560 wrote to memory of 1476	3560	cmd.exe	109
PID 3560 wrote to memory of 1476	3560	cmd.exe	109
PID 3560 wrote to memory of 1476	3560	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe
"C:\Users\Admin\AppData\Local\Temp\3f4fe6774def87f9863396e9658ada2e2ca054546bda713c9bccb92da9594aca.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortsavesPerf\U6MRif7wI0NSqRCdXq7.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortsavesPerf\hJsxnUKrLCS3yQKa5fb3Y66OFD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\PortsavesPerf\containerBrowser.exe
      "C:\PortsavesPerf\containerBrowser.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Recovery\WindowsRE\WaaSMedicAgent.exe
        
        "C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\PortsavesPerf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PortsavesPerf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\PortsavesPerf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortsavesPerf\U6MRif7wI0NSqRCdXq7.vbe

Filesize
216B

MD5
9bb2da5381080e407e64affacbc67b2f

SHA1
d39dc35480f9b746bc60efe8735c5541fd7aadba

SHA256
4014393f351e14a53b4a42ead28d928676a928d7df2240a3e845a6805923c030

SHA512
4b73197619740a979a158fb981b52a90042999f07d07a2264af4ce5f5206fb1d2d9fcf42e2f44be7b0db31601f1837ce7d61441f6985e580ed98c508989c945e

Download Submit
C:\PortsavesPerf\containerBrowser.exe

Filesize
829KB

MD5
1b6b2f3deace33ef5fbbb4f8057b8f25

SHA1
b9afa0b860787fd266c64a3b19f6cc4afbe7210c

SHA256
ce9abc1507bb5f616d83ed973bd1106d6c36cf341671bf64b46419b0a70a4780

SHA512
3e9a74d7d8a1bbbf87962739ada3e84c1c9ef846a0fbb3136a0deb6466d1d694dc0411d25c30c649d82b7f323652ba5cfe93ca3dceb3aecfd65f242928f32284

Download Submit
C:\PortsavesPerf\hJsxnUKrLCS3yQKa5fb3Y66OFD.bat

Filesize
151B

MD5
e24968c713b38d6112765022337c6925

SHA1
8724cd05ae5399fabdddb9f5427cfefef08f5317

SHA256
0fce76ab3179ed90a42087adad788f2eaf94b878c674bca2a794efd14179d932

SHA512
04fb870ad74ecfeb7ab8c170910d4518f5df68033aad5c13f643a8c307b3f6bca6b5036c8916420aa81dd1b1fbd1237490da9a673fb4dce6cd17141f678a0a11

Download Submit
memory/3808-13-0x00000000003A0000-0x0000000000476000-memory.dmp

Filesize
856KB

Download
memory/3808-12-0x00007FFF9DE23000-0x00007FFF9DE25000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads