dcrat | 7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0

General

Target

7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
Size

2.2MB
MD5

9216216496e6c197b4e285475c9bebac
SHA1

8594c011aae6acc0d656e99217df04a046608962
SHA256

7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0
SHA512

618884f78c133a55bbdc5c230f4459c587b79ccbe94e856e371fca7a9266b8a8f627ce63c63ca35f79e65788748c2837893f14efb8365b39e1ed3e520b512a17
SSDEEP

49152:ubA3jith94T3QphlQ5Tye/90Ytxj5rP6PFAfpG:ubb7jhi5ee/mYt55JhG

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	756	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	756	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	756	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	756	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b88-10.dat	dcrat
behavioral2/memory/1004-13-0x00000000007D0000-0x00000000009C0000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe

Executes dropped EXE 2 IoCs

pid	Process
1004	WindowsUpdate.exe
2012	conhost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\KBDHE220\\conhost.exe\""	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\rsop\\WmiPrvSE.exe\""	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\de-DE\\RuntimeBroker.exe\""	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\RuntimeBroker.exe\""	WindowsUpdate.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\KBDHE220\conhost.exe	WindowsUpdate.exe
File created	C:\Windows\System32\wbem\rsop\24dbde2999530ef5fd907494bc374d663924116c	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\5IlRwyXLFi3608ayPXHnvGiekNy.bat	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File created	C:\Windows\SysWOW64\WindowsUpdate.exe	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate.exe	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File opened for modification	C:\Windows\SysWOW64\eVQQIZLpFYxcw09smsiF15.vbe	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File created	C:\Windows\System32\KBDHE220\088424020bedd6b28ac7fd22ee35dcd7322895ce	WindowsUpdate.exe
File created	C:\Windows\System32\wbem\rsop\WmiPrvSE.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240625812	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File opened for modification	C:\Windows\SysWOW64\5IlRwyXLFi3608ayPXHnvGiekNy.bat	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File created	C:\Windows\SysWOW64\eVQQIZLpFYxcw09smsiF15.vbe	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
File created	C:\Windows\System32\KBDHE220\conhost.exe	WindowsUpdate.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\ja-JP\RuntimeBroker.exe	WindowsUpdate.exe
File created	C:\Program Files\Windows Media Player\ja-JP\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	WindowsUpdate.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\de-DE\RuntimeBroker.exe	WindowsUpdate.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\de-DE\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
3256	schtasks.exe
2456	schtasks.exe
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1004	WindowsUpdate.exe
2012	conhost.exe
2012	conhost.exe
2012	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	WindowsUpdate.exe
Token: SeDebugPrivilege	2012	conhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3416	2716	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe	85
PID 2716 wrote to memory of 3416	2716	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe	85
PID 2716 wrote to memory of 3416	2716	7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe	85
PID 3416 wrote to memory of 4028	3416	WScript.exe	100
PID 3416 wrote to memory of 4028	3416	WScript.exe	100
PID 3416 wrote to memory of 4028	3416	WScript.exe	100
PID 4028 wrote to memory of 1004	4028	cmd.exe	102
PID 4028 wrote to memory of 1004	4028	cmd.exe	102
PID 1004 wrote to memory of 2012	1004	WindowsUpdate.exe	107
PID 1004 wrote to memory of 2012	1004	WindowsUpdate.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe
"C:\Users\Admin\AppData\Local\Temp\7adf09fdd827cb01637e9cd12a916c3f8d842b9f894463b35f2f8ddc33b2c8e0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\eVQQIZLpFYxcw09smsiF15.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\5IlRwyXLFi3608ayPXHnvGiekNy.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\WindowsUpdate.exe
      "C:\Windows\System32\WindowsUpdate.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\System32\KBDHE220\conhost.exe
        
        "C:\Windows\System32\KBDHE220\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDHE220\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\rsop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\5IlRwyXLFi3608ayPXHnvGiekNy.bat

Filesize
39B

MD5
960aba1530cf2920700e5389231b8a2c

SHA1
5606d622b604f299e91fb34e0b4e95c1cfcd8914

SHA256
eda5637d6f9db3bfb443f16c6f2886759a071a9b580f30d32c5b5806a93d820b

SHA512
8ea4fac1bf54aadd73a3c3e5c8ff187368dd5373ae6c9bc24a31eeec87c9a979007594a0da83f7a08ca55b3e787f9b614df315726c13c0b6c4a101e5ba4556f0

Download Submit
C:\Windows\SysWOW64\WindowsUpdate.exe

Filesize
1.9MB

MD5
7db2fa8fcff97c80b1bffcb46afddba3

SHA1
6209e62e125d8ac986d34e7d14a91c9a37228ac6

SHA256
fa885be755063269ce486c1581494ca5dd97f9cfbfeab6a023586388b29e80e6

SHA512
9a94070dbf687c076a5f48221b81675c67a6036f7021a0d37fe100254aed7909dabc70c3ae36f95993c363ee815cedd9be7d6161784d6689fa6293f78938320d

Download Submit
C:\Windows\SysWOW64\eVQQIZLpFYxcw09smsiF15.vbe

Filesize
221B

MD5
df873359d9d515276e32023a0b0b15f1

SHA1
0f1cb6b83622af36cd097e314680d318620e0136

SHA256
3537382bc74be14a9085c5d354021266e7e0c15ccd05e0c272a4639dfcdbacb4

SHA512
955611adb8ef73aea9dffb234b54d2e6216194ebde54b973a304b5d57f409b11d27fd7dc6632f15ae0508554e43daa7585b7f2d182343c617bfa1335c9e54e02

Download Submit
memory/1004-12-0x00007FFA89093000-0x00007FFA89095000-memory.dmp

Filesize
8KB

Download
memory/1004-13-0x00000000007D0000-0x00000000009C0000-memory.dmp

Filesize
1.9MB

Download
memory/2012-33-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2012-34-0x0000000002550000-0x00000000025A6000-memory.dmp

Filesize
344KB

Download
memory/2012-35-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2012-36-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads