dcrat | d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75

General

Target

d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Size

1.5MB
MD5

bdf8dba699d63caad5ea9a29a0f6dfda
SHA1

60b104b39c4b843e982fba55dc94ca89c444a315
SHA256

d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75
SHA512

d2200cbbe4312dc5f0c57d45306ac1dd988f8b4892b036ca2b7f05bf0d75f213303b7d4e20a0e0b39862c0d59966468458ba37db084e1972b58b8a6ebce3fa6a
SSDEEP

24576:Q2G/nvxW3W8ARZJJJJjsJJJJvJHJJJJJJ/wYnWW5Yxwo06RF91aOd9lfLQP9gMsD:QbA34VAb5J8RFyA10DsGxpQ

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5088	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
		3944	schtasks.exe
		2244	schtasks.exe
		1944	schtasks.exe
		4144	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	5008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	5008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	5008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	5008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	5008	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b79-10.dat	dcrat
behavioral2/memory/3676-13-0x0000000000D00000-0x0000000000DEC000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sessionMonitordriverCrtMonitor.exe

Executes dropped EXE 2 IoCs

pid	Process
3676	sessionMonitordriverCrtMonitor.exe
2800	unsecapp.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sessionMonitordriverCrtMonitor = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\sessionMonitordriverCrtMonitor.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\TrustedInstaller.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\comctl32\\RuntimeBroker.exe\""	sessionMonitordriverCrtMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	sessionMonitordriverCrtMonitor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\comctl32\RuntimeBroker.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\System32\comctl32\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	sessionMonitordriverCrtMonitor.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\ja-JP\sessionMonitordriverCrtMonitor.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files\Windows Media Player\ja-JP\7560480a87071f9d961157b1d8d2f0ab49def21c	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\TrustedInstaller.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\04c1e7795967e4ccf081675b1d8567f1dfb39cfd	sessionMonitordriverCrtMonitor.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\unsecapp.exe	sessionMonitordriverCrtMonitor.exe
File opened for modification	C:\Windows\fr-FR\unsecapp.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\fr-FR\29c1c3cc0f76855c7e7456076a4ffc27e4947119	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	sessionMonitordriverCrtMonitor.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653fe07efe8f1ecc32d3d195abd16	sessionMonitordriverCrtMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sessionMonitordriverCrtMonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5088	schtasks.exe
3944	schtasks.exe
2244	schtasks.exe
1944	schtasks.exe
4144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3676	sessionMonitordriverCrtMonitor.exe
2800	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	sessionMonitordriverCrtMonitor.exe
Token: SeDebugPrivilege	2800	unsecapp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4908	2236	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	82
PID 2236 wrote to memory of 4908	2236	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	82
PID 2236 wrote to memory of 4908	2236	d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe	82
PID 4908 wrote to memory of 2328	4908	WScript.exe	87
PID 4908 wrote to memory of 2328	4908	WScript.exe	87
PID 4908 wrote to memory of 2328	4908	WScript.exe	87
PID 2328 wrote to memory of 3676	2328	cmd.exe	90
PID 2328 wrote to memory of 3676	2328	cmd.exe	90
PID 3676 wrote to memory of 1092	3676	sessionMonitordriverCrtMonitor.exe	96
PID 3676 wrote to memory of 1092	3676	sessionMonitordriverCrtMonitor.exe	96
PID 1092 wrote to memory of 2556	1092	cmd.exe	98
PID 1092 wrote to memory of 2556	1092	cmd.exe	98
PID 1092 wrote to memory of 2800	1092	cmd.exe	101
PID 1092 wrote to memory of 2800	1092	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe
"C:\Users\Admin\AppData\Local\Temp\d9bfa2b5b08b1708ce9083cd1ce174e5f38fc7e92e17aa2148a5b1a388b27f75.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\sessionMonitor\yKWvGem3BjBd.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\sessionMonitor\sAhrfeOmh26XUgm.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe
      "C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzvpMeoCuQ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2556
      - C:\Windows\fr-FR\unsecapp.exe
        
        "C:\Windows\fr-FR\unsecapp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\comctl32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sessionMonitordriverCrtMonitor" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sessionMonitordriverCrtMonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MzvpMeoCuQ.bat

Filesize
193B

MD5
28036d5aba76ce83c1c646481068449f

SHA1
c3649d7a64e1d408f25776094fca2828a4459c99

SHA256
484cb2eddfe485f58eedd2b903873db8a3ce97bf9a6b8a5cfa3a321015a79dea

SHA512
6004ea99cec8cdf98adf27d2cac436dc395b25bb6ba4f2f4851ec7c8a15d2ea74b6f29f3bcc93ad400426d6e015bc99cf5ee7c26fcb89e3d06c0784acc7bac22

Download Submit
C:\sessionMonitor\sAhrfeOmh26XUgm.bat

Filesize
54B

MD5
b768018829ff0d793581de74a77fefbc

SHA1
7ed52d592e48aae0f2c6d787848a551733da0992

SHA256
3c4f92a5815ed7905dcf662250f92066291dd1fe3d72778ddcc5618c6fd9ac1e

SHA512
c06ae8e9b5e60c7013673dc8786f8a4e0bb5749af0ed9766935a103d866ce0e79feb49fa5db02d34cdf4f93d74152852bd88cdbbbff78fc72e6a74a0d7581f91

Download Submit
C:\sessionMonitor\sessionMonitordriverCrtMonitor.exe

Filesize
912KB

MD5
ad4510fe830bfd34f52dff2e550ceda8

SHA1
e5c892210dfa873f5de94f391586333af3a0e4e6

SHA256
1623da1c762e72dc669be09129c7b0f201fc315f98dbefbc12ee3b8da2473a14

SHA512
a1dcc93cfa30187137d6a06bd0f8aa7d2d5b43c09029a5df206682b90b070c1c57357aed38a9d98e527409a7dfffbe9ec22b4818a1643573028e2db219ddd836

Download Submit
C:\sessionMonitor\yKWvGem3BjBd.vbe

Filesize
206B

MD5
c71311d680117ae76fd803c7729b0f2e

SHA1
71b4746c7a7c7d13af5ef8f08e2cf7e5a8bf0c5c

SHA256
1028dc026cf11c71dcfd49ffe23504013fa3b291c4a38d3554d31d9579083fe0

SHA512
ccc8a8ff690948f6b3158794636960483d2a7a38be8a6be6b1bee92d9684c06ec109831d50e3f39b0df0a319e788398136c4ca91e8de79cde3a0fef560bb7c06

Download Submit
memory/3676-12-0x00007FFA4BFE3000-0x00007FFA4BFE5000-memory.dmp

Filesize
8KB

Download
memory/3676-13-0x0000000000D00000-0x0000000000DEC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads