dcrat | 104a911945f430c05ed156633a3fb316634218cb5510dc6df373a23ff073238c

General

Target

Nurik.exe
Size

1.9MB
MD5

1d81f2dcae2cad16ad719a714414ccf6
SHA1

57aaeab4ec3ba5d0738684256d4ec2416ed85981
SHA256

104a911945f430c05ed156633a3fb316634218cb5510dc6df373a23ff073238c
SHA512

13cff621392ef6a69ca88e42ec36f64391ea58145e8851535a6b41ee120c59d3842cd05325c844280925a751b8ed10143f3efff9c378d975bc78d89fb6416b8b
SSDEEP

24576:h2G/nvxW3Wd0qOQqfjhiF+eSmd57d2lDPRGy+UddyFqVg+BI/uG4AKkLkhu0:hbA3LuqO+Fm8RUvtFqueI/ckLkR

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c9e-10.dat	dcrat
behavioral2/memory/4296-13-0x0000000000900000-0x0000000000A6A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nurik.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Nurik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

SurrogateCommon.exe

pid	Process
4296	SurrogateCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Nurik.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nurik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

Nurik.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Nurik.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SurrogateCommon.exe

description	pid	Process
Token: SeDebugPrivilege	4296	SurrogateCommon.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Nurik.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 1536 wrote to memory of 640	1536	Nurik.exe	84
PID 1536 wrote to memory of 640	1536	Nurik.exe	84
PID 1536 wrote to memory of 640	1536	Nurik.exe	84
PID 640 wrote to memory of 2572	640	WScript.exe	94
PID 640 wrote to memory of 2572	640	WScript.exe	94
PID 640 wrote to memory of 2572	640	WScript.exe	94
PID 2572 wrote to memory of 4296	2572	cmd.exe	97
PID 2572 wrote to memory of 4296	2572	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewwinSessionhostcommon\Txzzu7tsLbyOTjIrlPW5YR22FQ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewwinSessionhostcommon\JS95NsahAYHQx.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\reviewwinSessionhostcommon\SurrogateCommon.exe
      "C:\reviewwinSessionhostcommon\SurrogateCommon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\reviewwinSessionhostcommon\JS95NsahAYHQx.bat

Filesize
51B

MD5
9c99f272c55f24c38a3d732b84ee715e

SHA1
36bb0afdeec66024499b72208280fb01228f18e8

SHA256
3d4a917d49a46a40bb4d22b101c01c390f9ee1a1ecca0dd59b726df6e9dc9867

SHA512
8ce75d5f3ecabfb493a47a71a76ac9b4d7c39fc04160c87fb60e2453f02104da9ef7f26b0c78ea55beea11240e2c47c0cc61326ce71a14dac98c02b5fc88b072

Download Submit
C:\reviewwinSessionhostcommon\SurrogateCommon.exe

Filesize
1.4MB

MD5
ea71569b0e51e03231229d19a6b8199b

SHA1
d46bf331915a0dea8512c6616bedee508a1496a7

SHA256
89f2f11a0e44dfd721f5994912632a028e4e628df4a8df305695d473f0d042a4

SHA512
859255b77861b65682e2668ebbd3536b7b2dcb5c26b699017330c701531e2dbb35ba4eb5b001a8c87143257f94ea5a1beddf49184136372f304811d7ab3f1e87

Download Submit
C:\reviewwinSessionhostcommon\Txzzu7tsLbyOTjIrlPW5YR22FQ.vbe

Filesize
216B

MD5
377212779c8949d887a9c98109692f94

SHA1
a219371560cefee4bce8beb28edba33e832c048e

SHA256
1bcc22a387d65049c14dac5288fd9afbe6d677393551e181e53c7c4a4a5c4a03

SHA512
c2b24c446f9b0f01fee1d5aa7304df9c0bb19e22190c38626740cdcf1d417f23bcc3ffb49f9c71bd7de5529427a031640bc2de48c5d1de772d86956cbfafba4c

Download Submit
memory/4296-12-0x00007FFFAB133000-0x00007FFFAB135000-memory.dmp

Filesize
8KB

Download
memory/4296-13-0x0000000000900000-0x0000000000A6A000-memory.dmp

Filesize
1.4MB

Download
memory/4296-14-0x0000000001230000-0x000000000123E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads