dcrat | 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77

General

Target

7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
Size

1.4MB
MD5

1d2b1f463a1d6b10f9610337e95d5c0e
SHA1

59b08e6488e6380d4958534b3273396e34a14d9e
SHA256

7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77
SHA512

74671170b1e066024240e6c5226b75727e604a8ac9ce41e69b7fe5cec581ef52c69a7b238d61c614d30a311c7c74e63d3b82e5a5815a51ef38dac71bd6d548bd
SSDEEP

24576:u2G/nvxW3WieCrUKCU7IPEHnEKGfLymG8jY5Acrcdwkvpfq:ubA3jrGU1HnSfLymG8cSzm

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3768	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3768	schtasks.exe	94

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00070000000234d8-10.dat	dcrat
behavioral2/memory/4756-13-0x00000000006A0000-0x00000000007B6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	bridgeContainerRef.exe

Executes dropped EXE 2 IoCs

pid	Process
4756	bridgeContainerRef.exe
4496	sihost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeContainerRef.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe	bridgeContainerRef.exe
File created	C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe	bridgeContainerRef.exe
File created	C:\Program Files\VideoLAN\VLC\9e8d7a4ca61bd9	bridgeContainerRef.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\29c1c3cc0f7685	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	bridgeContainerRef.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\66fc9ff0ee96c2	bridgeContainerRef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2980	schtasks.exe
736	schtasks.exe
4816	schtasks.exe
3968	schtasks.exe
1500	schtasks.exe
3176	schtasks.exe
432	schtasks.exe
3208	schtasks.exe
4116	schtasks.exe
3564	schtasks.exe
4932	schtasks.exe
468	schtasks.exe
4388	schtasks.exe
1116	schtasks.exe
3056	schtasks.exe
1760	schtasks.exe
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4756	bridgeContainerRef.exe
4496	sihost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	bridgeContainerRef.exe
Token: SeDebugPrivilege	4496	sihost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1668	4016	7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe	85
PID 4016 wrote to memory of 1668	4016	7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe	85
PID 4016 wrote to memory of 1668	4016	7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe	85
PID 1668 wrote to memory of 2968	1668	WScript.exe	90
PID 1668 wrote to memory of 2968	1668	WScript.exe	90
PID 1668 wrote to memory of 2968	1668	WScript.exe	90
PID 2968 wrote to memory of 4756	2968	cmd.exe	92
PID 2968 wrote to memory of 4756	2968	cmd.exe	92
PID 4756 wrote to memory of 4496	4756	bridgeContainerRef.exe	113
PID 4756 wrote to memory of 4496	4756	bridgeContainerRef.exe	113

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeContainerRef.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe
"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\componentinto\bridgeContainerRef.exe
      "C:\componentinto\bridgeContainerRef.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4756
    - - C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\componentinto\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\componentinto\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\componentinto\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat

Filesize
41B

MD5
86d8de8f837ab632770008d846268bb8

SHA1
050a887f38d930985d90b52726ae698806a93776

SHA256
6f53cccfc1f99c8b3014c04b87e3cf51ad677042a47fd1a313b93571b1fc14cc

SHA512
d67f2bec91551abcf918d1ab1af634e06e7a23f9668fd6e7162ca445748a4b805215cef2c8590c2aea4769605e884225e481f79a082297f304ff0feedd7353e2

Download Submit
C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe

Filesize
212B

MD5
8ee36dbedf71844b819755a69aef93ce

SHA1
3225ed789aec1beb07f3dbcb93101f67cc29412e

SHA256
c9edb1555caa1589010af0e3b6e3296daca37407359c12af2f54e4d04818f810

SHA512
a1cc0cad26a3cfcb52311855384b835c1537f034d86f307d2d716b41bf7825fa860e12f7a61ff0a1e50d8a43eb7d159538c4abaca24a8dbb47604fff949455f6

Download Submit
C:\componentinto\bridgeContainerRef.exe

Filesize
1.1MB

MD5
d2284b3bcac27076acbce384ae1f90b9

SHA1
cd4f86b839e07d8df5ae1acce0db9a4438494a3e

SHA256
e402b9d1e4218a83aa63143d75c6b2e52fd53ad046d04de79f6817409e03977b

SHA512
218e20534c9789a87e75662f79f3c856c759b8df71bf770fa91cdb8c5dd5d2cc4e4abf968ae412365655bb38e151554f914117edec19f80ff5d8927d5c8a2f88

Download Submit
memory/4756-12-0x00007FFD754E3000-0x00007FFD754E5000-memory.dmp

Filesize
8KB

Download
memory/4756-13-0x00000000006A0000-0x00000000007B6000-memory.dmp

Filesize
1.1MB

Download
memory/4756-14-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/4756-15-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/4756-16-0x0000000001120000-0x000000000112C000-memory.dmp

Filesize
48KB

Download
memory/4756-17-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/4756-18-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads