dcrat | cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71

General

Target

cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
Size

1.9MB
MD5

3a92479aa98e55499bfa33bc2ea35b64
SHA1

2645ee34fe180b3c775fec79729f5ecee1dab95f
SHA256

cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71
SHA512

137fe77d848b628a212e52fb9c8bac86c42914b51a2914f60676c3799e3c346a03c9122a54ed899888dbc58a59990f9cbd381212e08cfb82d071a577892d8d48
SSDEEP

24576:2TbBv5rUyXV/SgxSKCk+FpaARF5+dKz8It1s4o4NIbDc405+iPP+x2PMZ5S6re:IBJ/CFK3INhNIbDcykP+yiSf

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	fontReviewsavesinto.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	fontReviewsavesinto.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
3776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe
2776	fontReviewsavesinto.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	fontReviewsavesinto.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	fontReviewsavesinto.exe
Token: SeDebugPrivilege	2776	fontReviewsavesinto.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3144	4944	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	87
PID 4944 wrote to memory of 3144	4944	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	87
PID 4944 wrote to memory of 3144	4944	cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe	87
PID 3144 wrote to memory of 780	3144	WScript.exe	97
PID 3144 wrote to memory of 780	3144	WScript.exe	97
PID 3144 wrote to memory of 780	3144	WScript.exe	97
PID 780 wrote to memory of 3776	780	cmd.exe	99
PID 780 wrote to memory of 3776	780	cmd.exe	99
PID 3776 wrote to memory of 3660	3776	fontReviewsavesinto.exe	103
PID 3776 wrote to memory of 3660	3776	fontReviewsavesinto.exe	103
PID 3660 wrote to memory of 4204	3660	cmd.exe	105
PID 3660 wrote to memory of 4204	3660	cmd.exe	105
PID 3660 wrote to memory of 1524	3660	cmd.exe	106
PID 3660 wrote to memory of 1524	3660	cmd.exe	106
PID 3660 wrote to memory of 2776	3660	cmd.exe	108
PID 3660 wrote to memory of 2776	3660	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe
"C:\Users\Admin\AppData\Local\Temp\cc8ffd463272f8abfb56f7f6c7a83ade8137e8df4c8cf39926469bf54efd1f71.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\ComponentSavesinto\fontReviewsavesinto.exe
      "C:\ComponentSavesinto/fontReviewsavesinto.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uef0XhRw6m.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4204
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1524
      - C:\ComponentSavesinto\fontReviewsavesinto.exe
        
        "C:\ComponentSavesinto\fontReviewsavesinto.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentSavesinto\Rvb4MehGYPWwP7mOC7L2KZoGBB7qbkXbVDhXcse7w1B6.vbe

Filesize
242B

MD5
3076c2a420abfae7929160ba4d0a72b7

SHA1
12b6bf6ab90923d5bdd316683b8eccd25b478904

SHA256
12790bc3e92339d3720214576ee78d7546292f985d5a06ee20c19aa6aea20344

SHA512
847910825012e426315c64fe5f949d63bcb3c60b51111c413198cc056e4ebc8475bf9c07b1cb021a82d8050b805606c1530a6431a8da5f5021b60e81dd56b37e

Download Submit
C:\ComponentSavesinto\ZNtisV5JM91TmuX3tDFXvJx7ah2q8kJOB5hVZXHXTCGj5p.bat

Filesize
87B

MD5
0f0c1382d77519a4e9b29d9aa39e786b

SHA1
e230967a14b0854d217ebdbbd571f7bae14ba176

SHA256
1bff5ed332b1fb57070372efa426bdb201534c2050cb16dd68c86e8595bf727a

SHA512
8435f2224ffe087669e382746587c4f583a15c1f0fa5939849882aecff136c1a55557171a6f17e3b66a0fc0d0067888de40ec02dcc70b86e35ee49c841cb2556

Download Submit
C:\ComponentSavesinto\fontReviewsavesinto.exe

Filesize
1.6MB

MD5
5b7391cd38f6218cd0e5c8f3899ab4dd

SHA1
c8fe062863454f2170cb5add5e38733311c48066

SHA256
4fa8244e62b244b9f543363577dbab6f4765809c4e4b09de4d42bd0b05384ff9

SHA512
a29e0820f2188af78133ba0ac8c1fa86a0f76038b222e15cbeb5167d1eb5f2a5e959d2ce5081fe694c458a204d1a222f92aea35d1049096807ccf25c68113d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontReviewsavesinto.exe.log

Filesize
1KB

MD5
47ab59baf4dcc4e17b4ceb468e55d551

SHA1
d026131c94cb679cb244c4e860f43591b539e2a2

SHA256
3eb7725a57375437481e559b2286b9d6745378a370a38d93d2d5bb90e786bfea

SHA512
3e1bd72f400439b189b9ed2821c4c868210f77bdd5ea8dac58b5c4fcc81c4fa7f7ee520812b5868327000a0cb723a637f5756d5eae054bcfb70674d409426604

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uef0XhRw6m.bat

Filesize
221B

MD5
f3e5e0f927db1b736c550b8a7c122f79

SHA1
8f1380724ec364addf12f638e900e7ddf44b7f5e

SHA256
81cadab9b089441cb42899a881a20e13ad9eb13d5bff4829b24fee6a818dbfca

SHA512
beb2f4bbd939b540dbcb8843d6b187d7ccdec9ca0a8bce47d26408083af4a3e3bf232c92a71f29b20ef3ae5cad5c0dca20f4acec43f56e97d71882a01e2e4aa6

Download Submit
memory/3776-12-0x00007FFA06C73000-0x00007FFA06C75000-memory.dmp

Filesize
8KB

Download
memory/3776-13-0x00000000001F0000-0x0000000000388000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing