dcrat | b26bd1c0f18de40e6123428988234b21640203431c5f66e2d602e805511f9e79

General

Target

69c5ea0a44027e82bab6de842c2736e0N.exe
Size

2.6MB
MD5

69c5ea0a44027e82bab6de842c2736e0
SHA1

f9fca090c82aa851b94b6cb3f6a8e59d1eaf46ce
SHA256

b26bd1c0f18de40e6123428988234b21640203431c5f66e2d602e805511f9e79
SHA512

de370686ce72d5d4b42b9c445eab8bcc5f6ef0dd27d2e5e59dfc24fcb052e7ea4869fc690873b637bdc56ad363bf3c87a6a2e769aab2e9c4ec29a076d1dc9f6f
SSDEEP

49152:UbA303peNkzjI6lp/5xblQ94oT4mbaUpCVvUwi2FUTGWK/ZJ8PFjw:UblYo/5xbGTT4J3VvRi5TGWsadw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4076	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\PortsurrogateRefBroker\agentWeb.exe	dcrat
behavioral2/memory/4936-13-0x0000000000BF0000-0x0000000000E3E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69c5ea0a44027e82bab6de842c2736e0N.exeWScript.exeagentWeb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	69c5ea0a44027e82bab6de842c2736e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	agentWeb.exe

Executes dropped EXE 2 IoCs

Processes:

agentWeb.exewinlogon.exe

pid process

4936 agentWeb.exe
3872 winlogon.exe

Drops file in Program Files directory 4 IoCs

Processes:

agentWeb.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\dwm.exe	agentWeb.exe
File created	C:\Program Files (x86)\Common Files\6cb0b6c459d5d3	agentWeb.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	agentWeb.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	agentWeb.exe

Drops file in Windows directory 1 IoCs

Processes:

agentWeb.exe

description ioc process

File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\Idle.exe agentWeb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\Idle.exe	agentWeb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

69c5ea0a44027e82bab6de842c2736e0N.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69c5ea0a44027e82bab6de842c2736e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

69c5ea0a44027e82bab6de842c2736e0N.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	69c5ea0a44027e82bab6de842c2736e0N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3220	schtasks.exe
3784	schtasks.exe
2136	schtasks.exe
4052	schtasks.exe
4724	schtasks.exe
2588	schtasks.exe
3328	schtasks.exe
1800	schtasks.exe
2040	schtasks.exe
4320	schtasks.exe
4000	schtasks.exe
4496	schtasks.exe
2456	schtasks.exe
2712	schtasks.exe
3376	schtasks.exe
1760	schtasks.exe
3184	schtasks.exe
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

agentWeb.exewinlogon.exe

pid	process
4936	agentWeb.exe
4936	agentWeb.exe
4936	agentWeb.exe
4936	agentWeb.exe
4936	agentWeb.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe
3872	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentWeb.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 4936 agentWeb.exe
Token: SeDebugPrivilege 3872 winlogon.exe

description	pid	process
Token: SeDebugPrivilege	4936	agentWeb.exe
Token: SeDebugPrivilege	3872	winlogon.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

69c5ea0a44027e82bab6de842c2736e0N.exeWScript.execmd.exeagentWeb.exe

description	pid	process	target process
PID 460 wrote to memory of 4592	460	69c5ea0a44027e82bab6de842c2736e0N.exe	WScript.exe
PID 460 wrote to memory of 4592	460	69c5ea0a44027e82bab6de842c2736e0N.exe	WScript.exe
PID 460 wrote to memory of 4592	460	69c5ea0a44027e82bab6de842c2736e0N.exe	WScript.exe
PID 4592 wrote to memory of 5020	4592	WScript.exe	cmd.exe
PID 4592 wrote to memory of 5020	4592	WScript.exe	cmd.exe
PID 4592 wrote to memory of 5020	4592	WScript.exe	cmd.exe
PID 5020 wrote to memory of 4936	5020	cmd.exe	agentWeb.exe
PID 5020 wrote to memory of 4936	5020	cmd.exe	agentWeb.exe
PID 4936 wrote to memory of 3872	4936	agentWeb.exe	winlogon.exe
PID 4936 wrote to memory of 3872	4936	agentWeb.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\69c5ea0a44027e82bab6de842c2736e0N.exe
"C:\Users\Admin\AppData\Local\Temp\69c5ea0a44027e82bab6de842c2736e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortsurrogateRefBroker\6O4ZKdsS9YLdfMGrXlv6UX.vbe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PortsurrogateRefBroker\PG5XI6tflf9wFGpWTuMeLdwspHl.bat" "
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020

C:\PortsurrogateRefBroker\agentWeb.exe
"C:\PortsurrogateRefBroker\agentWeb.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Program Files\Windows Media Player\winlogon.exe
"C:\Program Files\Windows Media Player\winlogon.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\PortsurrogateRefBroker\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PortsurrogateRefBroker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\PortsurrogateRefBroker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Recent\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortsurrogateRefBroker\6O4ZKdsS9YLdfMGrXlv6UX.vbe

Filesize
226B

MD5
8fc7c988fab4354676da51a891e4dff8

SHA1
1f0f76c0877214ea21d83765a67142952073a04d

SHA256
3a98cbc48815b464d277a0df33d7b9945cf199a51fb95311dfd952d360534376

SHA512
cf1b2f1401b849a91cac570a8ac226d8c9c27be238d0950c7a1b53476c186272533db6508cf6d820d328904201ade44c6f6047f13882a0d5642ee37c372dad25

Download Submit
C:\PortsurrogateRefBroker\PG5XI6tflf9wFGpWTuMeLdwspHl.bat

Filesize
40B

MD5
852d2ba781fa5b950a28cbda58000a17

SHA1
539c6187f1ec6f5b70728c38c01a3606954eee8c

SHA256
19547e2acb53b7ad4c2bd6416ca40281671f7b1d05a6fffa0268e5563d59fb8a

SHA512
c8f8a83bca2332cb4073b01b0fbd81905e62f92702555769c4e3abf820f71744b4ecbdd267c4e5adbd2e78a2fdd1986641b08e1ebec41903a62c2bdf5b6d8a4b

Download Submit
C:\PortsurrogateRefBroker\agentWeb.exe

Filesize
2.3MB

MD5
bbb13ad585691ca7a1bfcff2d84a0a93

SHA1
0b8249606fbe8c30761f7ff891b8cff760bf8766

SHA256
bc8457cb02515ded80d0eff126064577b39cf4acc4bb76ff49b0c20841689310

SHA512
89042b70561185c99b876e44bf73fdaa8f205bbb05d89ab8276baea16dfb97e702d255cc18e86614b1e5b93462b11fa275898870736043a9a834d855f657ba31

Download Submit
memory/4936-12-0x00007FF8B22D3000-0x00007FF8B22D5000-memory.dmp

Filesize
8KB

Download
memory/4936-13-0x0000000000BF0000-0x0000000000E3E000-memory.dmp

Filesize
2.3MB

Download
memory/4936-14-0x000000001BF50000-0x000000001BF6C000-memory.dmp

Filesize
112KB

Download
memory/4936-15-0x000000001BFC0000-0x000000001C010000-memory.dmp

Filesize
320KB

Download
memory/4936-16-0x000000001BF70000-0x000000001BF86000-memory.dmp

Filesize
88KB

Download
memory/4936-17-0x000000001C010000-0x000000001C066000-memory.dmp

Filesize
344KB

Download
memory/4936-18-0x000000001BF90000-0x000000001BFA2000-memory.dmp

Filesize
72KB

Download
memory/4936-19-0x000000001C950000-0x000000001CE78000-memory.dmp

Filesize
5.2MB

Download
memory/4936-20-0x000000001C060000-0x000000001C06E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads