dcrat | d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75

General

Target

d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Size

1.5MB
MD5

bdf8dba699d63caad5ea9a29a0f6dfda
SHA1

60b104b39c4b843e982fba55dc94ca89c444a315
SHA256

d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75
SHA512

d2200cbbe4312dc5f0c57d45306ac1dd988f8b4892b036ca2b7f05bf0d75f213303b7d4e20a0e0b39862c0d59966468458ba37db084e1972b58b8a6ebce3fa6a
SSDEEP

24576:Q2G/nvxW3W8ARZJJJJjsJJJJvJHJJJJJJ/wYnWW5Yxwo06RF91aOd9lfLQP9gMsD:QbA34VAb5J8RFyA10DsGxpQ

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1764	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
		3008	schtasks.exe
		3024	schtasks.exe
		3016	schtasks.exe
		2420	schtasks.exe
		1152	schtasks.exe
		236	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2580	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-11.dat	dcrat
behavioral1/memory/2712-13-0x00000000000F0000-0x00000000001DC000-memory.dmp	dcrat
behavioral1/memory/496-35-0x0000000000AF0000-0x0000000000BDC000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2712	sessionMonitordriverCrtMonitor.exe
496	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sessionMonitordriverCrtMonitor = "\"C:\\sessionMonitor\\sAhrfeOmh26XUgm\\sessionMonitordriverCrtMonitor.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\NlsLexicons0816\\dwm.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\mfc100\\cmd.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\LiveKernelReports\\cmd.exe\""	sessionMonitordriverCrtMonitor.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\NlsLexicons0816\dwm.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\System32\NlsLexicons0816\6cb0b6c459d5d3455a3da700e713f2e2529862ff	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\SysWOW64\mfc100\cmd.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\SysWOW64\mfc100\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	sessionMonitordriverCrtMonitor.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76da408ea6a601e682e64743153ad	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files (x86)\MSBuild\winlogon.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files (x86)\MSBuild\cc11b995f2a76da408ea6a601e682e64743153ad	sessionMonitordriverCrtMonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\cmd.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\LiveKernelReports\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228	sessionMonitordriverCrtMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3008	schtasks.exe
3024	schtasks.exe
3016	schtasks.exe
2420	schtasks.exe
1152	schtasks.exe
236	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2712	sessionMonitordriverCrtMonitor.exe
2712	sessionMonitordriverCrtMonitor.exe
2712	sessionMonitordriverCrtMonitor.exe
496	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	sessionMonitordriverCrtMonitor.exe
Token: SeDebugPrivilege	496	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2812	2644	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	30
PID 2644 wrote to memory of 2812	2644	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	30
PID 2644 wrote to memory of 2812	2644	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	30
PID 2644 wrote to memory of 2812	2644	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	30
PID 2812 wrote to memory of 2556	2812	WScript.exe	31
PID 2812 wrote to memory of 2556	2812	WScript.exe	31
PID 2812 wrote to memory of 2556	2812	WScript.exe	31
PID 2812 wrote to memory of 2556	2812	WScript.exe	31
PID 2556 wrote to memory of 2712	2556	cmd.exe	33
PID 2556 wrote to memory of 2712	2556	cmd.exe	33
PID 2556 wrote to memory of 2712	2556	cmd.exe	33
PID 2556 wrote to memory of 2712	2556	cmd.exe	33
PID 2712 wrote to memory of 1376	2712	sessionMonitordriverCrtMonitor.exe	42
PID 2712 wrote to memory of 1376	2712	sessionMonitordriverCrtMonitor.exe	42
PID 2712 wrote to memory of 1376	2712	sessionMonitordriverCrtMonitor.exe	42
PID 1376 wrote to memory of 484	1376	cmd.exe	44
PID 1376 wrote to memory of 484	1376	cmd.exe	44
PID 1376 wrote to memory of 484	1376	cmd.exe	44
PID 1376 wrote to memory of 496	1376	cmd.exe	45
PID 1376 wrote to memory of 496	1376	cmd.exe	45
PID 1376 wrote to memory of 496	1376	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
"C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\sessionMonitor\yKWvGem3BjBd.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\sessionMonitor\sAhrfeOmh26XUgm.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe
      "C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hw8POVMUrm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:484
      - C:\Windows\LiveKernelReports\cmd.exe
        
        "C:\Windows\LiveKernelReports\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0816\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\mfc100\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sessionMonitordriverCrtMonitor" /sc ONLOGON /tr "'C:\sessionMonitor\sAhrfeOmh26XUgm\sessionMonitordriverCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hw8POVMUrm.bat

Filesize
200B

MD5
6c4d52f3439f34dbe4f97c59a4fd4232

SHA1
d33c555adaba8ae34912499dc2320de52c30ba98

SHA256
1915baa91708e7070c0356ddf5fed06f065619fd977eeb85cea7f71a337140a5

SHA512
6f330e95931713cf07d062f71d4f8f6a004decd132aa715f25bb48ba96b5cf27e4f47f6cc9f9044c85eb1fb80ff6385a6f5a1ea4f6c242288297f9dddc7cebaa

Download Submit
C:\sessionMonitor\sAhrfeOmh26XUgm.bat

Filesize
54B

MD5
b768018829ff0d793581de74a77fefbc

SHA1
7ed52d592e48aae0f2c6d787848a551733da0992

SHA256
3c4f92a5815ed7905dcf662250f92066291dd1fe3d72778ddcc5618c6fd9ac1e

SHA512
c06ae8e9b5e60c7013673dc8786f8a4e0bb5749af0ed9766935a103d866ce0e79feb49fa5db02d34cdf4f93d74152852bd88cdbbbff78fc72e6a74a0d7581f91

Download Submit
C:\sessionMonitor\yKWvGem3BjBd.vbe

Filesize
206B

MD5
c71311d680117ae76fd803c7729b0f2e

SHA1
71b4746c7a7c7d13af5ef8f08e2cf7e5a8bf0c5c

SHA256
1028dc026cf11c71dcfd49ffe23504013fa3b291c4a38d3554d31d9579083fe0

SHA512
ccc8a8ff690948f6b3158794636960483d2a7a38be8a6be6b1bee92d9684c06ec109831d50e3f39b0df0a319e788398136c4ca91e8de79cde3a0fef560bb7c06

Download Submit
\sessionMonitor\sessionMonitordriverCrtMonitor.exe

Filesize
912KB

MD5
ad4510fe830bfd34f52dff2e550ceda8

SHA1
e5c892210dfa873f5de94f391586333af3a0e4e6

SHA256
1623da1c762e72dc669be09129c7b0f201fc315f98dbefbc12ee3b8da2473a14

SHA512
a1dcc93cfa30187137d6a06bd0f8aa7d2d5b43c09029a5df206682b90b070c1c57357aed38a9d98e527409a7dfffbe9ec22b4818a1643573028e2db219ddd836

Download Submit
memory/496-35-0x0000000000AF0000-0x0000000000BDC000-memory.dmp

Filesize
944KB

Download
memory/2712-13-0x00000000000F0000-0x00000000001DC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads