dcrat | 7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

General

Target

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
Size

827KB
MD5

56ab99637a82f98cec56b3318878bc99
SHA1

9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b
SHA256

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8
SHA512

aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323
SSDEEP

12288:ws2MkHy0AkGWpU5cv+ALaOBULNrBjHo0+ET08QzjrWZIESls:oMGyZkGWPlaOBULdBjiN8QsDz

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2832	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2748-1-0x00000000001E0000-0x00000000002B6000-memory.dmp	dcrat
behavioral1/files/0x0006000000016cfc-11.dat	dcrat
behavioral1/memory/1848-25-0x0000000000E20000-0x0000000000EF6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid	Process
1848	Idle.exe

Drops file in Program Files directory 8 IoCs

Processes:

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\69ddcba757bf72	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\6ccacd8608530f	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\56085415360792	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Drops file in Windows directory 2 IoCs

Processes:

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

description	ioc	Process
File created	C:\Windows\Globalization\sppsvc.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Windows\Globalization\0a1fd5f707cd16	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2380	schtasks.exe
2888	schtasks.exe
2576	schtasks.exe
1256	schtasks.exe
536	schtasks.exe
580	schtasks.exe
1900	schtasks.exe
2856	schtasks.exe
2044	schtasks.exe
2556	schtasks.exe
2436	schtasks.exe
1624	schtasks.exe
2912	schtasks.exe
2204	schtasks.exe
2744	schtasks.exe
1996	schtasks.exe
2932	schtasks.exe
2692	schtasks.exe
2428	schtasks.exe
800	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exeIdle.exe

pid	Process
2748	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe
1848	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid	Process
1848	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exeIdle.exe

description	pid	Process
Token: SeDebugPrivilege	2748	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
Token: SeDebugPrivilege	1848	Idle.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.execmd.exe

description	pid	Process	procid_target
PID 2748 wrote to memory of 3068	2748	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe	52
PID 2748 wrote to memory of 3068	2748	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe	52
PID 2748 wrote to memory of 3068	2748	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe	52
PID 3068 wrote to memory of 400	3068	cmd.exe	54
PID 3068 wrote to memory of 400	3068	cmd.exe	54
PID 3068 wrote to memory of 400	3068	cmd.exe	54
PID 3068 wrote to memory of 1848	3068	cmd.exe	55
PID 3068 wrote to memory of 1848	3068	cmd.exe	55
PID 3068 wrote to memory of 1848	3068	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
"C:\Users\Admin\AppData\Local\Temp\7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe
    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Globalization\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe

Filesize
827KB

MD5
56ab99637a82f98cec56b3318878bc99

SHA1
9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b

SHA256
7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

SHA512
aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qf8QHV2QCf.bat

Filesize
244B

MD5
6d76fa75a585a3f1cc4b7f0640c54636

SHA1
42ca14579b2c6a04c1cfb2eef8bc4f31f87bcdd3

SHA256
10092caae61ab477c7d2582baa91750bb40bdba600530531664e6165c6c66106

SHA512
4a87336cc11557d911e692ac0cdce0a22e5e5bcf148f285190965850c0a8e71d2f7da1bc5d13969eef7b003808657c65cce798bc4570a460229deeb71e8da61f

Download Submit
memory/1848-25-0x0000000000E20000-0x0000000000EF6000-memory.dmp

Filesize
856KB

Download
memory/2748-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x00000000001E0000-0x00000000002B6000-memory.dmp

Filesize
856KB

Download
memory/2748-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-22-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads