dcrat | 556e1b95814a2ff15e3f1962a682b2bdf4f72d8c11bf695af6de878d0b676a61

General

Target

UX-V2.0.exe
Size

2.0MB
MD5

f31b33519b8577316db68baa8203b60c
SHA1

8273e7ebdf5b3d25ff15e8d7e56f8b066da0af4b
SHA256

556e1b95814a2ff15e3f1962a682b2bdf4f72d8c11bf695af6de878d0b676a61
SHA512

831f8a5a1a707b3e50b814f43d87c228ad818e0cc7683800a65e0ff0052a6c98492a3f3b2669d5a9495c7687e0a96793ae33b2f24b76e4c671590c982fb987dd
SSDEEP

49152:ubA3j7CUI8pGiQagogtpnJCL1pGKd+N1ewYw:ubQ7I88ALaJCL1HdI1Yw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\portcomPerfSvc\ServerBrokerDhcp.exe	dcrat
behavioral2/memory/3148-13-0x0000000000280000-0x0000000000444000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

ServerBrokerDhcp.exe

pid process

3148 ServerBrokerDhcp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3148	ServerBrokerDhcp.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

UX-V2.0.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UX-V2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

UX-V2.0.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings UX-V2.0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ServerBrokerDhcp.exe

description pid process

Token: SeDebugPrivilege 3148 ServerBrokerDhcp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	UX-V2.0.exe

description	pid	process
Token: SeDebugPrivilege	3148	ServerBrokerDhcp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

UX-V2.0.exeWScript.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 240	4400	UX-V2.0.exe	WScript.exe
PID 4400 wrote to memory of 240	4400	UX-V2.0.exe	WScript.exe
PID 4400 wrote to memory of 240	4400	UX-V2.0.exe	WScript.exe
PID 240 wrote to memory of 1832	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 1832	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 1832	240	WScript.exe	cmd.exe
PID 1832 wrote to memory of 3148	1832	cmd.exe	ServerBrokerDhcp.exe
PID 1832 wrote to memory of 3148	1832	cmd.exe	ServerBrokerDhcp.exe

C:\Users\Admin\AppData\Local\Temp\UX-V2.0.exe
"C:\Users\Admin\AppData\Local\Temp\UX-V2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portcomPerfSvc\2mZ8bGp.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portcomPerfSvc\jxAUNCo.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\portcomPerfSvc\ServerBrokerDhcp.exe
      "C:\portcomPerfSvc\ServerBrokerDhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\portcomPerfSvc\2mZ8bGp.vbe

Filesize
198B

MD5
fcb144615fd7cf203d141dcc8b199f88

SHA1
d526262498d1b20012cae08eba88c3591d0d53e0

SHA256
c306d351ee916a81159e1f0ee0cca44dd99699109b03fd367f5197284a3c2fa0

SHA512
38b74641fce7abc592fef90e9b8ade1f41c9c6b18a4ced7b48c471d09964ffb3e8bab7569c08e21bcc8f5145369832277b0b53651cf3531ecc79514a929e3552

Download Submit
C:\portcomPerfSvc\ServerBrokerDhcp.exe

Filesize
1.7MB

MD5
734121f31947a54234850fa273769344

SHA1
78154d8391e52b26daec14f5c9eea34584da0ca4

SHA256
346cf8dca071f08cc82cf9d4ee15137f9900e70a8cf3025e99e470e2bf4016e4

SHA512
8a1a49db9bf50eee1176983d5d586a2fa282c6b8502d54bd864af3fcb4d46a140acbab79bba48d30c45c7d4a212b6cd1c3b429277cb89a1455bca6ee29e09b67

Download Submit
C:\portcomPerfSvc\jxAUNCo.bat

Filesize
40B

MD5
67c48c903e3c4cacf749edde6fb48104

SHA1
dd6da02b70e34456edc0c1d6ce84da4fa5ec0d7d

SHA256
5e6725a674937ddc7c592f6c21c0be8e711a6fea44901904a53e85bbe4de296d

SHA512
85be00f7bd833170824169d88d6547e9943c526b7ff5650bd8fc7a90b8a58099b4b68014636717e3e148fb3fc61a1477c4ea4bc48826920f09f8c3ac091cb8b9

Download Submit
memory/3148-12-0x00007FFDB6EB3000-0x00007FFDB6EB5000-memory.dmp

Filesize
8KB

Download
memory/3148-13-0x0000000000280000-0x0000000000444000-memory.dmp

Filesize
1.8MB

Download
memory/3148-14-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads