dcrat | 7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd

General

Target

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Size

1017KB
MD5

d3c5eed3ff2e208576288da3caf4feb7
SHA1

5405262345f60c37eec11c8731f163069137864f
SHA256

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd
SHA512

b67c12670cd42b816d2be8d6524c8b6122e8b239ff2f006c799f94daa4c9f4eafb24f91bd7208db3c94db926afcc7fbfd05f87f03201f567132984923e38e899
SSDEEP

12288:FWS8z4eYDr/0fAhZRFABcwTiEJad8KZyc2nS1hYLcS4nQsMPd7XSeD6vGaI1qn4M:FWSK6H0fMGcwzJsZZyLwvn2V7nDki+4M

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2524	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1076-1-0x0000000001350000-0x0000000001456000-memory.dmp	dcrat
behavioral1/files/0x000600000001747b-11.dat	dcrat
behavioral1/memory/2652-21-0x0000000000A20000-0x0000000000B26000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

pid	Process
2652	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log\\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe\""	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Start Menu\\csrss.exe\""	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\PerfLogs\\Admin\\winlogon.exe\""	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\icardagt\\smss.exe\""	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

Drops file in System32 directory 2 IoCs

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

description	ioc	Process
File created	C:\Windows\System32\icardagt\69ddcba757bf72f7d36c464c71f42baab150b2b9	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
File created	C:\Windows\System32\icardagt\smss.exe	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2724	schtasks.exe
2448	schtasks.exe
2736	schtasks.exe
2892	schtasks.exe
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

pid	Process
1076	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
2652	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

description	pid	Process
Token: SeDebugPrivilege	1076	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
Token: SeDebugPrivilege	2652	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.execmd.exe

description	pid	Process	procid_target
PID 1076 wrote to memory of 2632	1076	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe	36
PID 1076 wrote to memory of 2632	1076	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe	36
PID 1076 wrote to memory of 2632	1076	7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe	36
PID 2632 wrote to memory of 2656	2632	cmd.exe	38
PID 2632 wrote to memory of 2656	2632	cmd.exe	38
PID 2632 wrote to memory of 2656	2632	cmd.exe	38
PID 2632 wrote to memory of 2652	2632	cmd.exe	39
PID 2632 wrote to memory of 2652	2632	cmd.exe	39
PID 2632 wrote to memory of 2652	2632	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
"C:\Users\Admin\AppData\Local\Temp\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b1FMteJDb9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe
    "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log\7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\icardagt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b1FMteJDb9.bat

Filesize
322B

MD5
5585d397edeb85a6123798e9f3b1917e

SHA1
88aa4c86c1d7afc6e6bf705ac34c1f60bbc0d757

SHA256
0488a7466f2b5ee296492024d9b3fc7ebca45e533eade7ec78e4b05e3f3c3219

SHA512
f82f4f8888663640afdce1147b0ab02059513f21170eada56a57614ef51f5b7b0f221367ef699b24dc6b718fc20c9430685b8dd58e38953760a399d505bba9b0

Download Submit
C:\Windows\System32\icardagt\smss.exe

Filesize
1017KB

MD5
d3c5eed3ff2e208576288da3caf4feb7

SHA1
5405262345f60c37eec11c8731f163069137864f

SHA256
7b62293bc123569809bdf209855dfdcfb1c155295e1284ebe500a737267547dd

SHA512
b67c12670cd42b816d2be8d6524c8b6122e8b239ff2f006c799f94daa4c9f4eafb24f91bd7208db3c94db926afcc7fbfd05f87f03201f567132984923e38e899

Download Submit
memory/1076-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/1076-1-0x0000000001350000-0x0000000001456000-memory.dmp

Filesize
1.0MB

Download
memory/1076-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-18-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-21-0x0000000000A20000-0x0000000000B26000-memory.dmp

Filesize
1.0MB

Download
memory/2652-22-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2652-23-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads