dcrat | 3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599

General

Target

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
Size

828KB
MD5

22f0ee640dc3afa425a67edeadfd8a00
SHA1

e88fd97e116108a4b765971cdddd7890bab0bbf0
SHA256

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599
SHA512

db92030c1b38d57173aefa11e26a0d9a973097f496557da1a3f3303097901e344f56bc1c579cf7090ee0b07c168d54c31c45e83ad8f1e5edf595dcae50d86cdc
SSDEEP

12288:u7sJ0qn14m01koie9G0OmMr2LQO1IL2wBRZ5rUOX/TJAAeZdV:r0O4mBmaiR1I93n/TWA6V

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3220	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1856-1-0x0000000000840000-0x0000000000916000-memory.dmp	dcrat
C:\Windows\IME\de-DE\Idle.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

Executes dropped EXE 1 IoCs

Processes:

upfc.exe

pid process

1944 upfc.exe

pid	process
1944	upfc.exe

Drops file in Program Files directory 6 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\22eafd247d37c3	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Program Files\7-Zip\Lang\SearchApp.exe	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Program Files\7-Zip\Lang\38384e6a620884	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

Drops file in Windows directory 2 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

description	ioc	process
File created	C:\Windows\IME\de-DE\Idle.exe	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
File created	C:\Windows\IME\de-DE\6ccacd8608530f	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1372	schtasks.exe
4716	schtasks.exe
5048	schtasks.exe
5056	schtasks.exe
232	schtasks.exe
4276	schtasks.exe
744	schtasks.exe
2104	schtasks.exe
4184	schtasks.exe
4868	schtasks.exe
3796	schtasks.exe
1996	schtasks.exe
2912	schtasks.exe
408	schtasks.exe
3732	schtasks.exe
4052	schtasks.exe
2160	schtasks.exe
4036	schtasks.exe
4516	schtasks.exe
3688	schtasks.exe
1668	schtasks.exe

Modifies registry class 1 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exeupfc.exe

pid	process
1856	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe
1944	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

upfc.exe

pid process

1944 upfc.exe

pid	process
1944	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exeupfc.exe

description	pid	process
Token: SeDebugPrivilege	1856	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
Token: SeDebugPrivilege	1944	upfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.execmd.exe

description	pid	process	target process
PID 1856 wrote to memory of 512	1856	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe	cmd.exe
PID 1856 wrote to memory of 512	1856	3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe	cmd.exe
PID 512 wrote to memory of 1884	512	cmd.exe	w32tm.exe
PID 512 wrote to memory of 1884	512	cmd.exe	w32tm.exe
PID 512 wrote to memory of 1944	512	cmd.exe	upfc.exe
PID 512 wrote to memory of 1944	512	cmd.exe	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe
"C:\Users\Admin\AppData\Local\Temp\3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sYerKuc8i8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1884
- - C:\Users\Default\upfc.exe
    "C:\Users\Default\upfc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sYerKuc8i8.bat

Filesize
190B

MD5
e852632572b45dea6ea1da79b6deef7e

SHA1
a8db04792cc861541de5bf8113f606191195611f

SHA256
71bb129b1b170092826d9aee25942393e93df15008d9ca23c3c499434d1671ea

SHA512
f8ceab1d020d32516c24e4eafb4b68b0023b353bd06989b845c608c77ee169bbf36f2e11a72bcc19481a46ece82e67b60d3301845923ab82dbad03dbb1673002

Download Submit
C:\Windows\IME\de-DE\Idle.exe

Filesize
828KB

MD5
22f0ee640dc3afa425a67edeadfd8a00

SHA1
e88fd97e116108a4b765971cdddd7890bab0bbf0

SHA256
3b79471f27a94bec8b1f2d203691700f2ecf92cb295abc500b5bce7e49714599

SHA512
db92030c1b38d57173aefa11e26a0d9a973097f496557da1a3f3303097901e344f56bc1c579cf7090ee0b07c168d54c31c45e83ad8f1e5edf595dcae50d86cdc

Download Submit
memory/1856-0-0x00007FFF10A13000-0x00007FFF10A15000-memory.dmp

Filesize
8KB

Download
memory/1856-1-0x0000000000840000-0x0000000000916000-memory.dmp

Filesize
856KB

Download
memory/1856-4-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-22-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads