dcrat | 75bdb5811baa0d78e23f7bf2ad17e5ad8abae746aac3c8e4c739d7141e7a5e05

General

Target

config.exe
Size

1.1MB
MD5

4ccc39f7b4d6505188f19e6a99b0ef53
SHA1

2b8b5f4ae1957dda47f50798a00921a9b9541691
SHA256

75bdb5811baa0d78e23f7bf2ad17e5ad8abae746aac3c8e4c739d7141e7a5e05
SHA512

5c03902fc5d02dfbbea886f1f4d1443abac5b0a8a0f799e2555f3e62838134ee3f89fca7837f6c4ee6e3a7b8f6b4b874673a964b30497cb722ca62d1dcf943a7
SSDEEP

24576:U2G/nvxW3Ww0tgxRE+GY+7I9qe0KRP808I4lxmP7lp:UbA30wE+yI9qeLyw/

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2996	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c3d-9.dat	dcrat
behavioral1/memory/2684-13-0x0000000001060000-0x0000000001136000-memory.dmp	dcrat
behavioral1/memory/2152-34-0x0000000000220000-0x00000000002F6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2684	componentInto.exe
2152	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	cmd.exe
2120	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe	componentInto.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\56085415360792	componentInto.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\WmiPrvSE.exe	componentInto.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\24dbde2999530e	componentInto.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\WMIADAP.exe	componentInto.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\75a57c1bdf437c	componentInto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1600	schtasks.exe
2916	schtasks.exe
2732	schtasks.exe
2804	schtasks.exe
2008	schtasks.exe
2300	schtasks.exe
2888	schtasks.exe
1916	schtasks.exe
2812	schtasks.exe
1616	schtasks.exe
2752	schtasks.exe
2436	schtasks.exe
1504	schtasks.exe
2928	schtasks.exe
2688	schtasks.exe
2568	schtasks.exe
2092	schtasks.exe
1612	schtasks.exe
2028	schtasks.exe
2836	schtasks.exe
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2684	componentInto.exe
2684	componentInto.exe
2684	componentInto.exe
2152	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	componentInto.exe
Token: SeDebugPrivilege	2152	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2464	1404	config.exe	31
PID 1404 wrote to memory of 2464	1404	config.exe	31
PID 1404 wrote to memory of 2464	1404	config.exe	31
PID 1404 wrote to memory of 2464	1404	config.exe	31
PID 2464 wrote to memory of 2120	2464	WScript.exe	32
PID 2464 wrote to memory of 2120	2464	WScript.exe	32
PID 2464 wrote to memory of 2120	2464	WScript.exe	32
PID 2464 wrote to memory of 2120	2464	WScript.exe	32
PID 2120 wrote to memory of 2684	2120	cmd.exe	34
PID 2120 wrote to memory of 2684	2120	cmd.exe	34
PID 2120 wrote to memory of 2684	2120	cmd.exe	34
PID 2120 wrote to memory of 2684	2120	cmd.exe	34
PID 2684 wrote to memory of 2152	2684	componentInto.exe	57
PID 2684 wrote to memory of 2152	2684	componentInto.exe	57
PID 2684 wrote to memory of 2152	2684	componentInto.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HyperreviewPerf\4e8TrghIZ6.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\HyperreviewPerf\NyJ75tn22ob7UuEicUknatF.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\HyperreviewPerf\componentInto.exe
      "C:\HyperreviewPerf\componentInto.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\HyperreviewPerf\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\HyperreviewPerf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\HyperreviewPerf\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HyperreviewPerf\4e8TrghIZ6.vbe

Filesize
215B

MD5
c39c12e3c87d51dc84d40b74018339ba

SHA1
9bd6171b3a22fefffc1c388848c71d4532601304

SHA256
43ba4f182cda7af480c5331e42369a610ffa93b211621d5cb7f53daca3d03209

SHA512
add9d7ed720df9d440a5d5cad1d31f253d58a435ce6f57d9e7157dd8ffe07b8315c7a670e0c0729e4e802eef9e38e70e9f30565647283631eb4a6340f726658a

Download Submit
C:\HyperreviewPerf\NyJ75tn22ob7UuEicUknatF.bat

Filesize
38B

MD5
256205d3142b0269d77b312f3c7056b1

SHA1
121683c5077db5d98169cae7bd5ac6bd9e8ffe7e

SHA256
538c0935c9ca2b0a088eb6f26775b005f67256aadb7b4f43744b776deb6b6a4d

SHA512
8234ab457c94c7bf40667e57b89f941bc31bef962daf31f97ca8a1de6ea7de8694fff17e170e08296e3b270d527c17ea39ed3255a3e7d0b05218ad2aaa9ff431

Download Submit
\HyperreviewPerf\componentInto.exe

Filesize
828KB

MD5
b3da667f34717abe2502139db4e81935

SHA1
7c48e7bbd435081d51ad32a1fe9704901e2b1d58

SHA256
a9c495044580a2faf91d4b73000e3338ef66551ead4f3f6b18820ddc84879aa0

SHA512
741b2eb2731c84f04f0794115d35bbc3bcca91270bca95a794ac21fbe477ea15dcc29e7e83e8abc661c64cc7dad020e197ed04cfe33e8a895484a5060af48e6e

Download Submit
memory/2152-34-0x0000000000220000-0x00000000002F6000-memory.dmp

Filesize
856KB

Download
memory/2684-13-0x0000000001060000-0x0000000001136000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads