dcrat | cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71

General

Target

cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
Size

1.9MB
MD5

3a92479aa98e55499bfa33bc2ea35b64
SHA1

2645ee34fe180b3c775fec79729f5ecee1dab95f
SHA256

cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71
SHA512

137fe77d848b628a212e52fb9c8bac86c42914b51a2914f60676c3799e3c346a03c9122a54ed899888dbc58a59990f9cbd381212e08cfb82d071a577892d8d48
SSDEEP

24576:2TbBv5rUyXV/SgxSKCk+FpaARF5+dKz8It1s4o4NIbDc405+iPP+x2PMZ5S6re:IBJ/CFK3INhNIbDcykP+yiSf

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Executes dropped EXE 2 IoCs

pid	Process
2696	fontReviewsavesinto.exe
2588	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	cmd.exe
2432	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2300	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2300	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2588	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2696	fontReviewsavesinto.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe
2588	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	fontReviewsavesinto.exe
Token: SeDebugPrivilege	2588	sppsvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1636	2228	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	31
PID 2228 wrote to memory of 1636	2228	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	31
PID 2228 wrote to memory of 1636	2228	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	31
PID 2228 wrote to memory of 1636	2228	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	31
PID 1636 wrote to memory of 2432	1636	WScript.exe	32
PID 1636 wrote to memory of 2432	1636	WScript.exe	32
PID 1636 wrote to memory of 2432	1636	WScript.exe	32
PID 1636 wrote to memory of 2432	1636	WScript.exe	32
PID 2432 wrote to memory of 2696	2432	cmd.exe	34
PID 2432 wrote to memory of 2696	2432	cmd.exe	34
PID 2432 wrote to memory of 2696	2432	cmd.exe	34
PID 2432 wrote to memory of 2696	2432	cmd.exe	34
PID 2696 wrote to memory of 2728	2696	fontReviewsavesinto.exe	35
PID 2696 wrote to memory of 2728	2696	fontReviewsavesinto.exe	35
PID 2696 wrote to memory of 2728	2696	fontReviewsavesinto.exe	35
PID 2728 wrote to memory of 2912	2728	cmd.exe	37
PID 2728 wrote to memory of 2912	2728	cmd.exe	37
PID 2728 wrote to memory of 2912	2728	cmd.exe	37
PID 2728 wrote to memory of 2300	2728	cmd.exe	38
PID 2728 wrote to memory of 2300	2728	cmd.exe	38
PID 2728 wrote to memory of 2300	2728	cmd.exe	38
PID 2728 wrote to memory of 2588	2728	cmd.exe	39
PID 2728 wrote to memory of 2588	2728	cmd.exe	39
PID 2728 wrote to memory of 2588	2728	cmd.exe	39
PID 2728 wrote to memory of 2588	2728	cmd.exe	39
PID 2728 wrote to memory of 2588	2728	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
"C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\ComponentSavesinto\fontReviewsavesinto.exe
      "C:\ComponentSavesinto/fontReviewsavesinto.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MJNnCXwRzT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2912
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
      - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe

Filesize
242B

MD5
3076c2a420abfae7929160ba4d0a72b7

SHA1
12b6bf6ab90923d5bdd316683b8eccd25b478904

SHA256
12790bc3e92339d3720214576ee78d7546292f985d5a06ee20c19aa6aea20344

SHA512
847910825012e426315c64fe5f949d63bcb3c60b51111c413198cc056e4ebc8475bf9c07b1cb021a82d8050b805606c1530a6431a8da5f5021b60e81dd56b37e

Download Submit
C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat

Filesize
87B

MD5
0f0c1382d77519a4e9b29d9aa39e786b

SHA1
e230967a14b0854d217ebdbbd571f7bae14ba176

SHA256
1bff5ed332b1fb57070372efa426bdb201534c2050cb16dd68c86e8595bf727a

SHA512
8435f2224ffe087669e382746587c4f583a15c1f0fa5939849882aecff136c1a55557171a6f17e3b66a0fc0d0067888de40ec02dcc70b86e35ee49c841cb2556

Download Submit
C:\ComponentSavesinto\fontReviewsavesinto.exe

Filesize
1.6MB

MD5
5b7391cd38f6218cd0e5c8f3899ab4dd

SHA1
c8fe062863454f2170cb5add5e38733311c48066

SHA256
4fa8244e62b244b9f543363577dbab6f4765809c4e4b09de4d42bd0b05384ff9

SHA512
a29e0820f2188af78133ba0ac8c1fa86a0f76038b222e15cbeb5167d1eb5f2a5e959d2ce5081fe694c458a204d1a222f92aea35d1049096807ccf25c68113d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJNnCXwRzT.bat

Filesize
187B

MD5
1de47ddeff04f39c51ce1c94b55f4aea

SHA1
2bafa0a70f1d6a871d9261ca1b3dcc8902c43ca5

SHA256
95c2938e04dd7fee48d8c26575635c418c9c8725c1d9c805c7bd9bf4b905b655

SHA512
2cae8c90cbe8776fafad87bc384b7697deb1b1efc18426d6f7a25869c223da266423e001bde4411362a5bed30b691172ee997b3b90db9c07074c4ce9a236203f

Download Submit
memory/2588-32-0x0000000000C30000-0x0000000000DC8000-memory.dmp

Filesize
1.6MB

Download
memory/2696-13-0x0000000000C40000-0x0000000000DD8000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing