dcrat | ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4

General

Target

2768c63cfbffae59b6c2c5483e804d14.exe
Size

1.1MB
MD5

2768c63cfbffae59b6c2c5483e804d14
SHA1

a577f6aa123f1b641a780ef4cf205b73c2b2bfc3
SHA256

ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4
SHA512

7ae59899ac9d77e98f5f52e2eeee350bade1aab284fc65bb64ba1ff605a8c7148ae535b8b69bb0fedfde6449becd87b5a0678ce241414d54b7b759c36dd0da04
SSDEEP

24576:U2G/nvxW3Ww0tkAyVPwER/v6Yq9/zI2SV6/6ODpvdcKRWksjQ:UbA30kAyRwE332SV6XDzRLs0

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1252	schtasks.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1252	schtasks.exe	23

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014723-9.dat	dcrat
behavioral1/memory/2744-13-0x0000000001310000-0x00000000013E6000-memory.dmp	dcrat
behavioral1/memory/2000-30-0x0000000000310000-0x00000000003E6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2744	MsRuntimeperf.exe
2000	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe	MsRuntimeperf.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe	MsRuntimeperf.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6203df4a6bafc7	MsRuntimeperf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe	MsRuntimeperf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\c5b4cb5e9653cc	MsRuntimeperf.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	MsRuntimeperf.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	MsRuntimeperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\services.exe	MsRuntimeperf.exe
File created	C:\Windows\de-DE\c5b4cb5e9653cc	MsRuntimeperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2528	schtasks.exe
2392	schtasks.exe
1916	schtasks.exe
2400	schtasks.exe
2772	schtasks.exe
2664	schtasks.exe
1976	schtasks.exe
2760	schtasks.exe
1792	schtasks.exe
2696	schtasks.exe
2976	schtasks.exe
2764	schtasks.exe
2164	schtasks.exe
1092	schtasks.exe
236	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	services.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2744	MsRuntimeperf.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe
2000	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2000	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	MsRuntimeperf.exe
Token: SeDebugPrivilege	2000	services.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2588	2108	2768c63cfbffae59b6c2c5483e804d14.exe	29
PID 2108 wrote to memory of 2588	2108	2768c63cfbffae59b6c2c5483e804d14.exe	29
PID 2108 wrote to memory of 2588	2108	2768c63cfbffae59b6c2c5483e804d14.exe	29
PID 2108 wrote to memory of 2588	2108	2768c63cfbffae59b6c2c5483e804d14.exe	29
PID 2588 wrote to memory of 2716	2588	WScript.exe	30
PID 2588 wrote to memory of 2716	2588	WScript.exe	30
PID 2588 wrote to memory of 2716	2588	WScript.exe	30
PID 2588 wrote to memory of 2716	2588	WScript.exe	30
PID 2716 wrote to memory of 2744	2716	cmd.exe	32
PID 2716 wrote to memory of 2744	2716	cmd.exe	32
PID 2716 wrote to memory of 2744	2716	cmd.exe	32
PID 2716 wrote to memory of 2744	2716	cmd.exe	32
PID 2744 wrote to memory of 2000	2744	MsRuntimeperf.exe	48
PID 2744 wrote to memory of 2000	2744	MsRuntimeperf.exe	48
PID 2744 wrote to memory of 2000	2744	MsRuntimeperf.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2768c63cfbffae59b6c2c5483e804d14.exe
"C:\Users\Admin\AppData\Local\Temp\2768c63cfbffae59b6c2c5483e804d14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\portMonitor\1iRUSp.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\portMonitor\MsRuntimeperf.exe
      "C:\portMonitor\MsRuntimeperf.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\de-DE\services.exe
        
        "C:\Windows\de-DE\services.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\portMonitor\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\portMonitor\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\portMonitor\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\portMonitor\1iRUSp.bat

Filesize
34B

MD5
e7d861bf32c0cfdce43a988f7624094b

SHA1
ce94364c1662056c36487d1ad2a3910d60295567

SHA256
bf1a6596c9cb4f855e364b1b2f4e065d3c3db14814e4cb933a45dc1929604bab

SHA512
f4e9116284beb83c4b459f386fb1cb2573769c937082a3dd1efb5ebf73693e9ad03be4cb691476720d8a7841b29aea1bd8f57e7070e15baf293c0683dc553f04

Download Submit
C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe

Filesize
194B

MD5
549bfbdf4b94348d8d90e99da8c2251e

SHA1
5a137b4eca702e1154f27729b4bd4de2e66e7562

SHA256
3d992a2df8f78acb01aacd43662b8ef67810149dd6c40b96f5d88ce9ba8e215e

SHA512
c3a5f93b0dde2d1a00133e22014d7b3b8d59c2780b426429d9fa98d3e32e66d6697de50af714b3375d82034f77feba7b90336b8d44767a2eaacd77129dc13793

Download Submit
\portMonitor\MsRuntimeperf.exe

Filesize
828KB

MD5
4168f956abf60ffe49acc17b2544866f

SHA1
92c00da15b67c3fbc23a74198b1220c55dc56fec

SHA256
19ad2d50f71214129742f9e3901ee595f760b36d5cac676911c3ee0ec7c6546d

SHA512
938a4e85094d517e0ca9ef96edd2dfef75accd5d7546da44a921be023dcd066fcab51688b1f7036f67f7dcd3d0e7aedafccc58abee2b22c15da1bb05ec002a0e

Download Submit
memory/2000-30-0x0000000000310000-0x00000000003E6000-memory.dmp

Filesize
856KB

Download
memory/2744-13-0x0000000001310000-0x00000000013E6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads