dcrat | aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea

General

Target

aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe
Size

1.1MB
MD5

205763e8efbcfa91ef1795a4f522ff51
SHA1

0f71a48f6c071e36df7e9572289aa7be468d4146
SHA256

aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea
SHA512

36e1e32110565bde64b27914e70e74d6e6a342c7aaf5aca88eae89dbdaf27601f9f8cad525ac08f6983136c2338b10a1d7bc9cd36ff987f86e42e745b6ace81c
SSDEEP

24576:U2G/nvxW3Ww0tcPca9BcI0ryqlbWwtOMD2:UbA30taoro

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2728	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018f94-9.dat	dcrat
behavioral1/memory/348-13-0x0000000000CB0000-0x0000000000D86000-memory.dmp	dcrat
behavioral1/memory/2240-33-0x0000000000370000-0x0000000000446000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
348	hostSvc.exe
2240	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	cmd.exe
2204	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\hostSvc.exe	hostSvc.exe
File opened for modification	C:\Program Files\Windows NT\hostSvc.exe	hostSvc.exe
File created	C:\Program Files\Windows NT\dd7e2ead84435a	hostSvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\services.exe	hostSvc.exe
File created	C:\Windows\en-US\c5b4cb5e9653cc	hostSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1100	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
2664	schtasks.exe
2420	schtasks.exe
2104	schtasks.exe
2884	schtasks.exe
2912	schtasks.exe
1660	schtasks.exe
1988	schtasks.exe
1964	schtasks.exe
2800	schtasks.exe
920	schtasks.exe
2768	schtasks.exe
2724	schtasks.exe
2304	schtasks.exe
1036	schtasks.exe
1424	schtasks.exe
588	schtasks.exe
664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
348	hostSvc.exe
348	hostSvc.exe
348	hostSvc.exe
348	hostSvc.exe
348	hostSvc.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe
2240	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2240	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	hostSvc.exe
Token: SeDebugPrivilege	2240	services.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2388	2412	aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe	30
PID 2412 wrote to memory of 2388	2412	aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe	30
PID 2412 wrote to memory of 2388	2412	aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe	30
PID 2412 wrote to memory of 2388	2412	aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe	30
PID 2388 wrote to memory of 2204	2388	WScript.exe	31
PID 2388 wrote to memory of 2204	2388	WScript.exe	31
PID 2388 wrote to memory of 2204	2388	WScript.exe	31
PID 2388 wrote to memory of 2204	2388	WScript.exe	31
PID 2204 wrote to memory of 348	2204	cmd.exe	33
PID 2204 wrote to memory of 348	2204	cmd.exe	33
PID 2204 wrote to memory of 348	2204	cmd.exe	33
PID 2204 wrote to memory of 348	2204	cmd.exe	33
PID 348 wrote to memory of 1636	348	hostSvc.exe	53
PID 348 wrote to memory of 1636	348	hostSvc.exe	53
PID 348 wrote to memory of 1636	348	hostSvc.exe	53
PID 2204 wrote to memory of 1100	2204	cmd.exe	55
PID 2204 wrote to memory of 1100	2204	cmd.exe	55
PID 2204 wrote to memory of 1100	2204	cmd.exe	55
PID 2204 wrote to memory of 1100	2204	cmd.exe	55
PID 1636 wrote to memory of 2944	1636	cmd.exe	56
PID 1636 wrote to memory of 2944	1636	cmd.exe	56
PID 1636 wrote to memory of 2944	1636	cmd.exe	56
PID 1636 wrote to memory of 2240	1636	cmd.exe	58
PID 1636 wrote to memory of 2240	1636	cmd.exe	58
PID 1636 wrote to memory of 2240	1636	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe
"C:\Users\Admin\AppData\Local\Temp\aac9b9479025a005f7f9c9c1b8002f21d05a42bfcb0f39a359e86ae186b9cfea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portrefDll\lGiD9u2t0eo1sSEWTgyGmVsqvXpXU7.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\portrefDll\YnvsQ1vzh19ryYwNxF7vVIb.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\portrefDll\hostSvc.exe
      "C:\portrefDll\hostSvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K4kZnY1MfK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2944
      - C:\Windows\en-US\services.exe
        
        "C:\Windows\en-US\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvch" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\hostSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\hostSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvch" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\hostSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvch" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\hostSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\hostSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hostSvch" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\hostSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\K4kZnY1MfK.bat

Filesize
194B

MD5
de2e109ce33321ebcd711fc925607aa2

SHA1
ab67edf3d07da9b0d8acfd8c48b9c8cd1810d616

SHA256
6c7c050228532a5bd721221d60c6f6cd4999cce75d5a42df30c589a5026fa080

SHA512
971a9a38cac60bf2afbd6ca8adf7fb0278ced84f73d958d8d0173da822c899ae47a4ce171b6437baa20b1318345e4fd02f252f9c36d24874c5802dbcb38478e4

Download Submit
C:\portrefDll\YnvsQ1vzh19ryYwNxF7vVIb.bat

Filesize
139B

MD5
2b3b1977be75d31a154ff21d70670f83

SHA1
6525d6e8b7016d7e3b0d05081efe11ca47bf7959

SHA256
097efd803f9681bed88d9e9019b3e3cf30dcf6535b36309e4d9ce92cdf94e001

SHA512
78a245e9cfd3dfe32050e0f6217909c2947741458bb532f26b51ae3c71685d3bba6d8a66ab2145f1ab43b2f84ee7bf3a0edb515931ca5ca8e846ed2756dfd058

Download Submit
C:\portrefDll\lGiD9u2t0eo1sSEWTgyGmVsqvXpXU7.vbe

Filesize
210B

MD5
bb3d1e161fcf39c0321972cce17a8692

SHA1
29c1bdcc411d77b0056561ab9d91a4cc1c75835e

SHA256
2940cbb1a71be69ca1b63d5bebe697522066667f8b2c202c0004ba6d3a916b67

SHA512
2d0b8082324f1273efce2bc71750fc945e6107a724aed5ff51777d36e949b9ab9cde061ef62594ecc49c21a98f5f3e8944ed0d710e7352b646f95a9e3d0a8556

Download Submit
\portrefDll\hostSvc.exe

Filesize
827KB

MD5
38d73859d90aa45a0c277245e22bcc6d

SHA1
89f3257e6ef2ca8fb6fecff42b6f1b81706e48c8

SHA256
246b8cab7e3f1dc0fee420895abdfd6d383ee120c942432a546774a2b3255686

SHA512
6c5c1f5270e18e89165b941910747d09952b7d9a7e3d71c137fd6280aa1fc26c40f7431a26cd2b382d39d98f52f2d94327ff7a9b5f6763d4ef2201e4a4dcd33e

Download Submit
memory/348-13-0x0000000000CB0000-0x0000000000D86000-memory.dmp

Filesize
856KB

Download
memory/2240-33-0x0000000000370000-0x0000000000446000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads