dcrat | d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098

General

Target

d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
Size

1.1MB
MD5

5f38ad274718c3262d27ab832490c194
SHA1

67ed4403196c9da6a34dc99173049fe7b5d2762a
SHA256

d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098
SHA512

6e1615d0e57db4b78cec17e8a322c4086267456a4216332aba4217da628061848bcbe30d7470c24d282b3b31599f26737bf2c334a8e06c490f057ebc9a6a3b78
SSDEEP

24576:QXRXTkk9tBZxs5A3QSXQo6sQX/zukzM9S/:SRXnJRgqyLukqS

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1640	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1952-1-0x00000000011D0000-0x00000000012F6000-memory.dmp	dcrat
behavioral1/files/0x000700000001211b-12.dat	dcrat
behavioral1/memory/848-18-0x0000000001060000-0x0000000001186000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
848	csrss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\0a1fd5f707cd16	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
File created	C:\Program Files\Windows Defender\csrss.exe	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
File opened for modification	C:\Program Files\Windows Defender\csrss.exe	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
File created	C:\Program Files\Windows Defender\886983d96e3d3e	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
1036	schtasks.exe
2176	schtasks.exe
2852	schtasks.exe
2744	schtasks.exe
2704	schtasks.exe
2828	schtasks.exe
2728	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1952	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe
848	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
Token: SeDebugPrivilege	848	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 848	1952	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe	40
PID 1952 wrote to memory of 848	1952	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe	40
PID 1952 wrote to memory of 848	1952	d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe
"C:\Users\Admin\AppData\Local\Temp\d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Windows Defender\csrss.exe
  "C:\Program Files\Windows Defender\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\csrss.exe

Filesize
1.1MB

MD5
5f38ad274718c3262d27ab832490c194

SHA1
67ed4403196c9da6a34dc99173049fe7b5d2762a

SHA256
d380ab06298ba654391242296c594720ec2cdbb8e28b42ea5a28b2ff894ac098

SHA512
6e1615d0e57db4b78cec17e8a322c4086267456a4216332aba4217da628061848bcbe30d7470c24d282b3b31599f26737bf2c334a8e06c490f057ebc9a6a3b78

Download Submit
memory/848-18-0x0000000001060000-0x0000000001186000-memory.dmp

Filesize
1.1MB

Download
memory/1952-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x00000000011D0000-0x00000000012F6000-memory.dmp

Filesize
1.1MB

Download
memory/1952-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-3-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/1952-4-0x00000000006B0000-0x00000000006C6000-memory.dmp

Filesize
88KB

Download
memory/1952-17-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads