dcrat | ec582f81548b3b5f12398a1a1f0dd30649a496304afad8bae13f82ac0849a983

General

Target

621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Size

912KB
MD5

10aed7c9078642756495f27e3b622a47
SHA1

d6aa65bb11cb728c38b472150e45d8ae4fe93711
SHA256

621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250
SHA512

fa12a498b9849769dfe10141faaf0414acc82c79fa935fbdae17e848bb60de6d4494b52cd31f9627ec18886b469ee85ec11b0d514b244442a9966e37d4146148
SSDEEP

12288:zwQRFBuIllEteYHMrYE6Oc+k1xdfatF0IaLHX8lO/MDFvNKqn4:zt4IUtwr6B+uxdfatG/TeFVK+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2944	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2780-1-0x0000000000C70000-0x0000000000D5C000-memory.dmp	dcrat
behavioral1/files/0x0005000000018f98-11.dat	dcrat
behavioral1/memory/1080-23-0x0000000000010000-0x00000000000FC000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1080	dllhost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\XpsGdiConverter\\spoolsv.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\DevicePairingWizard\\dllhost.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\explorer\\explorer.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS\\OSPPSVC.exe\""	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\XpsGdiConverter\spoolsv.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Windows\System32\XpsGdiConverter\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Windows\System32\DevicePairingWizard\dllhost.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Windows\System32\DevicePairingWizard\5940a34987c99120d96dace90a3f93f329dcad63	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Windows\System32\XpsGdiConverter\spoolsv.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64d8139363b71e44ac16341adf4e	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\explorer\explorer.exe	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
File created	C:\Windows\explorer\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2900	schtasks.exe
2720	schtasks.exe
2696	schtasks.exe
2768	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
1080	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
Token: SeDebugPrivilege	1080	dllhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2176	2780	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe	37
PID 2780 wrote to memory of 2176	2780	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe	37
PID 2780 wrote to memory of 2176	2780	621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe	37
PID 2176 wrote to memory of 2072	2176	cmd.exe	39
PID 2176 wrote to memory of 2072	2176	cmd.exe	39
PID 2176 wrote to memory of 2072	2176	cmd.exe	39
PID 2176 wrote to memory of 1080	2176	cmd.exe	40
PID 2176 wrote to memory of 1080	2176	cmd.exe	40
PID 2176 wrote to memory of 1080	2176	cmd.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe
"C:\Users\Admin\AppData\Local\Temp\621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Wx4uUSFMT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2072
- - C:\Windows\System32\DevicePairingWizard\dllhost.exe
    "C:\Windows\System32\DevicePairingWizard\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\XpsGdiConverter\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\DevicePairingWizard\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe

Filesize
912KB

MD5
10aed7c9078642756495f27e3b622a47

SHA1
d6aa65bb11cb728c38b472150e45d8ae4fe93711

SHA256
621f8b48e6cd5586e3dfb5f83a24998de6903a73e6c818ad663b036f0de93250

SHA512
fa12a498b9849769dfe10141faaf0414acc82c79fa935fbdae17e848bb60de6d4494b52cd31f9627ec18886b469ee85ec11b0d514b244442a9966e37d4146148

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Wx4uUSFMT.bat

Filesize
215B

MD5
df2cb30dd854abeb9242eec153c7dcdd

SHA1
7f19c1bc264f9aadabd1e60f0dfbeb3ce5ff7a20

SHA256
a772ee68a979460eb8453fecce232faa1fb299ecd6dd04dad8cc126292a95623

SHA512
15c292d204e462da8c843d845415a08b0cf099b85b3c744eb8b2c0c8faa8ba0ba3ba5e2d2b1b65f28bc5cdd0ab30d81c69fc5b6c362c1f6a7840864efea1bd7d

Download Submit
memory/1080-23-0x0000000000010000-0x00000000000FC000-memory.dmp

Filesize
944KB

Download
memory/2780-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000000C70000-0x0000000000D5C000-memory.dmp

Filesize
944KB

Download
memory/2780-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-20-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads