dcrat | de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067

Reason

Machine shutdown

General

Target

test.exe
Size

1.1MB
MD5

4a00e42d19f9bae651f70e79cd5ef162
SHA1

b196db8fc96765b65f9da36f7c55664e9c756bb9
SHA256

de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067
SHA512

69735af42d4d44ff7814beacee6a0b80a841f44f09962a5d42ab9fdac673971fcd10e76de53b25ce19693fe6826e557fc8fe4721b3611ac22efbfa76f7405055
SSDEEP

24576:u2G/nvxW3WieCs/p/1uLbrQZVK8qBlKSUd:ubA3j7TQL3Ane

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000023b7b-10.dat	dcrat
behavioral1/memory/3600-13-0x00000000004F0000-0x00000000005C6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Bridgesurrogate.exe

Executes dropped EXE 1 IoCs

pid	Process
3600	Bridgesurrogate.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ipinfo.io
25	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4484	taskkill.exe
1928	taskkill.exe
2168	taskkill.exe
4100	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	test.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe
3600	Bridgesurrogate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	Bridgesurrogate.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3608	4936	test.exe	85
PID 4936 wrote to memory of 3608	4936	test.exe	85
PID 4936 wrote to memory of 3608	4936	test.exe	85
PID 3608 wrote to memory of 3700	3608	WScript.exe	88
PID 3608 wrote to memory of 3700	3608	WScript.exe	88
PID 3608 wrote to memory of 3700	3608	WScript.exe	88
PID 3700 wrote to memory of 3600	3700	cmd.exe	91
PID 3700 wrote to memory of 3600	3700	cmd.exe	91
PID 3600 wrote to memory of 1196	3600	Bridgesurrogate.exe	111
PID 3600 wrote to memory of 1196	3600	Bridgesurrogate.exe	111
PID 1196 wrote to memory of 4484	1196	cmd.exe	113
PID 1196 wrote to memory of 4484	1196	cmd.exe	113
PID 1196 wrote to memory of 1928	1196	cmd.exe	114
PID 1196 wrote to memory of 1928	1196	cmd.exe	114
PID 1196 wrote to memory of 2168	1196	cmd.exe	115
PID 1196 wrote to memory of 2168	1196	cmd.exe	115
PID 1196 wrote to memory of 4100	1196	cmd.exe	116
PID 1196 wrote to memory of 4100	1196	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\FontreviewwincommonSvc\Bridgesurrogate.exe
      "C:\FontreviewwincommonSvc\Bridgesurrogate.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im crss.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im wininit.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im winlogon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im svchost.exe
        6⤵
        Kills process with taskkill
        
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

Filesize
829KB

MD5
925278f34e704b81d9a837d26a72657b

SHA1
404bb676c8298adc01e660ba763fbf6ec08137e8

SHA256
2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d

SHA512
608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7

Download Submit
C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe

Filesize
204B

MD5
0eab06ef6873fb013c9f2babf77657cb

SHA1
d0a76df0228e4ce0d5d4a013f54610ebb39d3a90

SHA256
641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1

SHA512
b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe

Download Submit
C:\FontreviewwincommonSvc\Y0CpU.bat

Filesize
47B

MD5
7847aa1435648c93f0af222aa269b12b

SHA1
445fdd35740aada074adc4596e0cde2449865b60

SHA256
70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef

SHA512
3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d

Download Submit
memory/3600-12-0x00007FF93B260000-0x00007FF93B2FD000-memory.dmp

Filesize
628KB

Download
memory/3600-13-0x00000000004F0000-0x00000000005C6000-memory.dmp

Filesize
856KB

Download
memory/3600-14-0x0000000002750000-0x0000000002796000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

Errors