dcrat | 8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b

General

Target

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Size

2.0MB
MD5

0707542d6d884c5c595b38ebedd025c9
SHA1

686f867f37c8aca23ea3cc298dec856667c1afcd
SHA256

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b
SHA512

945eeeadb00c19934d034cfb9bd158246e2fcb989bb8808ce3fffee7707cc4ae1f83310db961ecfbd0bc99304b8c041ec7e4ee83893d1db7eac54910970cccc0
SSDEEP

49152:fA6rKdfybQlb8Em0lP/PHNQsGE6+tlcwDXbuvDtkI:XrKngUlPtQsG831burKI

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2660	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2660	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2996-1-0x0000000000D20000-0x0000000000F32000-memory.dmp	dcrat
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe	dcrat
behavioral1/memory/864-27-0x0000000000FF0000-0x0000000001202000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

864 dllhost.exe

pid	process
864	dllhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FXSAPIDebugLogFile\\8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\smss.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Videos\\Sample Videos\\dllhost.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\AuditNativeSnapIn\\csrss.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wiascanprofiles\\taskhost.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Documents and Settings\\taskhost.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\EhStorPwdMgr\\dllhost.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\desktop\\csrss.exe\""	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe

Drops file in System32 directory 8 IoCs

Processes:

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe

description	ioc	process
File created	C:\Windows\System32\desktop\886983d96e3d3e31032c679b2d4ea91b6c05afef	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\AuditNativeSnapIn\csrss.exe	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\AuditNativeSnapIn\886983d96e3d3e31032c679b2d4ea91b6c05afef	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\wiascanprofiles\taskhost.exe	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\wiascanprofiles\b75386f1303e64d8139363b71e44ac16341adf4e	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\EhStorPwdMgr\dllhost.exe	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\EhStorPwdMgr\5940a34987c99120d96dace90a3f93f329dcad63	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
File created	C:\Windows\System32\desktop\csrss.exe	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2712 schtasks.exe
2836 schtasks.exe
2688 schtasks.exe
2516 schtasks.exe
2628 schtasks.exe
1308 schtasks.exe
1524 schtasks.exe
1968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exedllhost.exe

pid process

2996 8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
864 dllhost.exe

pid	process
2712	schtasks.exe
2836	schtasks.exe
2688	schtasks.exe
2516	schtasks.exe
2628	schtasks.exe
1308	schtasks.exe
1524	schtasks.exe
1968	schtasks.exe

pid	process
2996	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
864	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2996	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
Token: SeDebugPrivilege	864	dllhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.execmd.exe

description	pid	process	target process
PID 2996 wrote to memory of 2640	2996	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe	cmd.exe
PID 2996 wrote to memory of 2640	2996	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe	cmd.exe
PID 2996 wrote to memory of 2640	2996	8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe	cmd.exe
PID 2640 wrote to memory of 1320	2640	cmd.exe	w32tm.exe
PID 2640 wrote to memory of 1320	2640	cmd.exe	w32tm.exe
PID 2640 wrote to memory of 1320	2640	cmd.exe	w32tm.exe
PID 2640 wrote to memory of 864	2640	cmd.exe	dllhost.exe
PID 2640 wrote to memory of 864	2640	cmd.exe	dllhost.exe
PID 2640 wrote to memory of 864	2640	cmd.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe
"C:\Users\Admin\AppData\Local\Temp\8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G1H3s7vBeH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1320
- - C:\Users\Public\Videos\Sample Videos\dllhost.exe
    "C:\Users\Public\Videos\Sample Videos\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EhStorPwdMgr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile\8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\AuditNativeSnapIn\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wiascanprofiles\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe

Filesize
2.0MB

MD5
0707542d6d884c5c595b38ebedd025c9

SHA1
686f867f37c8aca23ea3cc298dec856667c1afcd

SHA256
8bc4ca0ef9348f4a331f850af113f2134c0aba41f6a1e9dd26f9b34db34b473b

SHA512
945eeeadb00c19934d034cfb9bd158246e2fcb989bb8808ce3fffee7707cc4ae1f83310db961ecfbd0bc99304b8c041ec7e4ee83893d1db7eac54910970cccc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1H3s7vBeH.bat

Filesize
212B

MD5
6cd011c2c9b66ccfd433b5f2813b3667

SHA1
6e2b41eb23092ba1463560568fb872ddf02a4020

SHA256
75793bb321b068e47f3a306b69f35f9c036c4668301f93b9b9dafeb865a33203

SHA512
445a817a453a3f12a2f58e84717d4b93068e252cc92c3ccf5a7e38edf516ad64d89537c72a62cbcf5ea5af8e02b801eadae6991092978416353b165a935e5141

Download Submit
memory/864-27-0x0000000000FF0000-0x0000000001202000-memory.dmp

Filesize
2.1MB

Download
memory/864-28-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/864-29-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/864-30-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/864-31-0x00000000003F0000-0x0000000000446000-memory.dmp

Filesize
344KB

Download
memory/864-32-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/864-33-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/864-34-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2996-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-23-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1-0x0000000000D20000-0x0000000000F32000-memory.dmp

Filesize
2.1MB

Download
memory/2996-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads