dcrat | fd18e5242413a22ef180736d054660b59d901c096fbd7b2f22b02b3b170da7b0

General

Target

nurusltan fix.exe
Size

1.1MB
MD5

0f353cf4b6e0fa3ec3c7bd6ba53eaff8
SHA1

8c54eff890e1923b788f33dabc135dd6db859c79
SHA256

fd18e5242413a22ef180736d054660b59d901c096fbd7b2f22b02b3b170da7b0
SHA512

69c681a47a1313155f8536dcd9a14bc999a0f7f82ca8e20dcb2de3589599d0cadee495f2a91e5cb49dcad83a3b961bcbae1957ef45a8ead6384fd3d0b3c05199
SSDEEP

24576:U2G/nvxW3Ww0t0zhLLXo2JkLajcBo6EFiUGxjt:UbA300zhAfScBxEyxZ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4848	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4848	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000700000002341c-10.dat	dcrat
behavioral2/memory/376-13-0x0000000000340000-0x0000000000416000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Comref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	nurusltan fix.exe

Executes dropped EXE 2 IoCs

pid	Process
376	Comref.exe
1552	spoolsv.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16	Comref.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\cmd.exe	Comref.exe
File created	C:\Program Files\Windows Photo Viewer\spoolsv.exe	Comref.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe	Comref.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\38384e6a620884	Comref.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe	Comref.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ebf1f9fa8afd6d	Comref.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\spoolsv.exe	Comref.exe
File created	C:\Program Files\Windows Photo Viewer\f3b6ecef712a24	Comref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1244	schtasks.exe
2280	schtasks.exe
3464	schtasks.exe
3624	schtasks.exe
2208	schtasks.exe
3416	schtasks.exe
2844	schtasks.exe
1816	schtasks.exe
4040	schtasks.exe
1912	schtasks.exe
5108	schtasks.exe
4756	schtasks.exe
4900	schtasks.exe
3032	schtasks.exe
2244	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	nurusltan fix.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Comref.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
376	Comref.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	Comref.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3304	656	nurusltan fix.exe	83
PID 656 wrote to memory of 3304	656	nurusltan fix.exe	83
PID 656 wrote to memory of 3304	656	nurusltan fix.exe	83
PID 3304 wrote to memory of 2568	3304	WScript.exe	94
PID 3304 wrote to memory of 2568	3304	WScript.exe	94
PID 3304 wrote to memory of 2568	3304	WScript.exe	94
PID 2568 wrote to memory of 376	2568	cmd.exe	96
PID 2568 wrote to memory of 376	2568	cmd.exe	96
PID 376 wrote to memory of 2500	376	Comref.exe	112
PID 376 wrote to memory of 2500	376	Comref.exe	112
PID 2500 wrote to memory of 4300	2500	cmd.exe	114
PID 2500 wrote to memory of 4300	2500	cmd.exe	114
PID 2500 wrote to memory of 1552	2500	cmd.exe	117
PID 2500 wrote to memory of 1552	2500	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nurusltan fix.exe
"C:\Users\Admin\AppData\Local\Temp\nurusltan fix.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Agentcomponentcommon\fbxuS96NMbe4n6JV.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentcommon\aRkefYu5ar9NpqNnsZyu3JG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Agentcomponentcommon\Comref.exe
      "C:\Agentcomponentcommon\Comref.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4300
      - C:\Program Files\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\spoolsv.exe"
        6⤵
        Executes dropped EXE
        
        PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Agentcomponentcommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Agentcomponentcommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Agentcomponentcommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Agentcomponentcommon\Comref.exe

Filesize
828KB

MD5
365ce0dd2c67e94b054e6ac405ec42b5

SHA1
176629f99e1a7cbdf55b461b73699081d60f595a

SHA256
53ca3d012cb978aca3ed559714fc9f4bf8d10bb98d59222ccdc6e6986c4415c8

SHA512
e5efae843b9116bf950acfaedc28885768550ee8f3d972e193975d9daf4f4dc24d8f201dedc529a1d0a70d5556704243cd6e27ca9853c07537aa259ac40e74fe

Download Submit
C:\Agentcomponentcommon\aRkefYu5ar9NpqNnsZyu3JG.bat

Filesize
36B

MD5
ee08f606810a583c666500b8fdfed16c

SHA1
4289bd99b380ef87a0abd52fa193bb584ad52947

SHA256
ac2f971e8a6049070d01bc35a9d4c2822ad1c168ae1c3ad4718026ded1ff7238

SHA512
673169fb2fd43884887c13d32152c1497425a5c489fd7902ec4758ea034e883470ba15299e25ecfd07bb238a849d314da13b8f1bf8c80f756c027da02f9e0472

Download Submit
C:\Agentcomponentcommon\fbxuS96NMbe4n6JV.vbe

Filesize
220B

MD5
e5fc6c5feb954ae982e6dc11d76ee900

SHA1
2a62a21679c801b84ce372afb7c52e24c920dfe1

SHA256
e6805bd88f8107c2089e0c02357d30ceb175a49c9912a35e92565ed7f710c0ff

SHA512
93f102257a7cbd6b06ff1d25eeed708a9af45ebbc6f72c94db51f067aa891ce71da0b7babd00e72a0869eba760893b5fed2a7e4b7b2d9d5ea18a05555e222d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat

Filesize
214B

MD5
6eddb0a23c27127a4a320b7bd83ae706

SHA1
e6b01223246ebaae092c55bcf6347e857bbd15f1

SHA256
4b662546c6de8fc7e95be02d2f9597edd6949a12afedb7fa6bc204b84e7e4a51

SHA512
4afd3c320207e5c3f3eaf95be0f23cf5fc4389f4bb825ee481c219b199c31802bd6d582e2b626762406da198934b2fd3915c458f27c8d33a648f73a44b41ce3d

Download Submit
memory/376-12-0x00007FFE7A583000-0x00007FFE7A585000-memory.dmp

Filesize
8KB

Download
memory/376-13-0x0000000000340000-0x0000000000416000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads