dcrat | ac8a08a5dd79ab90a206fe5f79c6d0982a3d9f21ea23daae9e0a04a0edd65892

General

Target

LegacyPhasmo/start.exe
Size

1.1MB
MD5

7002fdc4d02a4ed4a5a6f56bc40efcef
SHA1

cef5ea6d5507392e4fd5cb9511160f4882b4d8b8
SHA256

6fddd93899ba0f1de262aa86d1e7f4ed3df8b29e9d2b9679d42b5a81addea6f4
SHA512

d5859012071a604563d96c8cffb9a5f12ae5a085b0160d3e90de140bd50c752d97287c1810140d72bf2404880fecd8332a458005e5e8052f5ad74cf11f12a538
SSDEEP

24576:U2G/nvxW3Ww0t6eSgFX3x5aC6FRMzpC6nHZW/n:UbA306e9FTtYeP0P

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	4548	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\MshyperHostmonitordhcp\reviewMonitor.exe	dcrat
behavioral4/memory/2004-13-0x0000000000170000-0x0000000000246000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

start.exeWScript.exereviewMonitor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	reviewMonitor.exe

Executes dropped EXE 2 IoCs

Processes:

reviewMonitor.exeSystem.exe

pid process

2004 reviewMonitor.exe
3956 System.exe

Drops file in Program Files directory 2 IoCs

Processes:

reviewMonitor.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\27d1bcfc3c54e0	reviewMonitor.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe	reviewMonitor.exe

Drops file in Windows directory 8 IoCs

Processes:

reviewMonitor.exe

description	ioc	process
File created	C:\Windows\Vss\Writers\System\msedge.exe	reviewMonitor.exe
File created	C:\Windows\Vss\Writers\System\61a52ddc9dd915	reviewMonitor.exe
File created	C:\Windows\Panther\setup.exe\fontdrvhost.exe	reviewMonitor.exe
File created	C:\Windows\Panther\setup.exe\5b884080fd4f94	reviewMonitor.exe
File created	C:\Windows\Migration\WTR\reviewMonitor.exe	reviewMonitor.exe
File created	C:\Windows\Migration\WTR\cf99d6aeab2a06	reviewMonitor.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\msedge.exe	reviewMonitor.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\61a52ddc9dd915	reviewMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2228	schtasks.exe
2852	schtasks.exe
2596	schtasks.exe
4984	schtasks.exe
1676	schtasks.exe
948	schtasks.exe
2012	schtasks.exe
2528	schtasks.exe
3572	schtasks.exe
3052	schtasks.exe
1680	schtasks.exe
4484	schtasks.exe
2504	schtasks.exe
4076	schtasks.exe
1480	schtasks.exe
3684	schtasks.exe
924	schtasks.exe
752	schtasks.exe
1640	schtasks.exe
936	schtasks.exe
3852	schtasks.exe

Modifies registry class 1 IoCs

Processes:

start.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings start.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	start.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

reviewMonitor.exeSystem.exe

pid	process
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
2004	reviewMonitor.exe
3956	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewMonitor.exeSystem.exe

description pid process

Token: SeDebugPrivilege 2004 reviewMonitor.exe
Token: SeDebugPrivilege 3956 System.exe

description	pid	process
Token: SeDebugPrivilege	2004	reviewMonitor.exe
Token: SeDebugPrivilege	3956	System.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

start.exeWScript.execmd.exereviewMonitor.exe

description	pid	process	target process
PID 4156 wrote to memory of 856	4156	start.exe	WScript.exe
PID 4156 wrote to memory of 856	4156	start.exe	WScript.exe
PID 4156 wrote to memory of 856	4156	start.exe	WScript.exe
PID 856 wrote to memory of 4928	856	WScript.exe	cmd.exe
PID 856 wrote to memory of 4928	856	WScript.exe	cmd.exe
PID 856 wrote to memory of 4928	856	WScript.exe	cmd.exe
PID 4928 wrote to memory of 2004	4928	cmd.exe	reviewMonitor.exe
PID 4928 wrote to memory of 2004	4928	cmd.exe	reviewMonitor.exe
PID 2004 wrote to memory of 3956	2004	reviewMonitor.exe	System.exe
PID 2004 wrote to memory of 3956	2004	reviewMonitor.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe
"C:\Users\Admin\AppData\Local\Temp\LegacyPhasmo\start.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MshyperHostmonitordhcp\0DcM5JqD9S9f9.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MshyperHostmonitordhcp\MgkA4hhn0q04GXYwCcIaXFzSS.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\MshyperHostmonitordhcp\reviewMonitor.exe
"C:\MshyperHostmonitordhcp\reviewMonitor.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\Engines\TTS\en-US\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\TTS\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewMonitorr" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\reviewMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewMonitor" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\reviewMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewMonitorr" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\reviewMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MshyperHostmonitordhcp\0DcM5JqD9S9f9.vbe
Filesize
224B

MD5
d2b97d2aae9482940374f468a574d6a0

SHA1
db0b075661a48ce48889d72331bf6f8dc2678156

SHA256
7a33058c1663d4917294bc87987b53f98fe9dd03ba8be69f288cafa74ece40bf

SHA512
4c17782d77ec02197c012668baaf297df10f8003f512d994343fefff5f9b86be1ecbd6ae8d652a14fb7ae0ccec53d0f5e9ecf40fa0ffa629b190967160502bfa

Download Submit
C:\MshyperHostmonitordhcp\MgkA4hhn0q04GXYwCcIaXFzSS.bat
Filesize
45B

MD5
50ac67118e356521f6739fb631a1bbbe

SHA1
68671a07d7a39463726b43c2d53ef535989cccaf

SHA256
9373ac51e6c5e168c642e48912b314dd69b2b6a47b401e1741ba992ebc06c4df

SHA512
40728b08c37095b39cd4bf67048de5c71f5400433321e37dc4fbc98d77435a960b80734347c25e136b1251324bf7b2b71df7cddb4abc3f213a7113d006996883

Download Submit
C:\MshyperHostmonitordhcp\reviewMonitor.exe
Filesize
827KB

MD5
452f976724291ddcd7fc0d12ff1dc544

SHA1
add1cdb2396b67fa42961ee07d91d7a45bad915a

SHA256
0285686187df5c5ddfda90a068b02a00eb2ce4fea21ea7adef2e07021707ae7d

SHA512
2b637ec0bf44fe2dbd3fe7801413e81cb102eff09fa51c20258fec72c13de8e966ea11db8e0603f54747c18142a0a9a2ccd258cefe25cc32a33931d9da5a6ed3

Download Submit
memory/2004-12-0x00007FFD76B93000-0x00007FFD76B95000-memory.dmp

Filesize
8KB

Download
memory/2004-13-0x0000000000170000-0x0000000000246000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads