dcrat | 4b6302643800dafe4629960e243ba26663f8510c42f4eaf656b1cc510406e408

General

Target

portperf.exe
Size

829KB
MD5

a054982f7e12c1f491eccd25d9c1b5d7
SHA1

b3c78b1c7c8a95486db06e39f56910d0f3e90996
SHA256

4b6302643800dafe4629960e243ba26663f8510c42f4eaf656b1cc510406e408
SHA512

d57be5af22f21e7c20d330f5714ddcf1936152e3d9bd2254c1a2c83f420bfe183ae204c871b1ce2d8f5361a1661afbe39a9b5bec12fb00195a8c0b967977a925
SSDEEP

24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2656	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2656	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2268-1-0x0000000001210000-0x00000000012E6000-memory.dmp	dcrat
behavioral1/files/0x000600000001945c-17.dat	dcrat
behavioral1/memory/2368-19-0x0000000000D20000-0x0000000000DF6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
2368	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

portperf.exe

description	ioc	Process
File created	C:\Program Files\Java\lsass.exe	portperf.exe
File created	C:\Program Files\Java\6203df4a6bafc7	portperf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe	portperf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\101b941d020240	portperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2712	schtasks.exe
2840	schtasks.exe
2600	schtasks.exe
2568	schtasks.exe
2824	schtasks.exe
2524	schtasks.exe
2988	schtasks.exe
2588	schtasks.exe
2608	schtasks.exe
468	schtasks.exe
1740	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

portperf.execsrss.exe

pid	Process
2268	portperf.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe
2368	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
2368	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

portperf.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2268	portperf.exe
Token: SeDebugPrivilege	2368	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

portperf.execmd.exe

description	pid	Process	procid_target
PID 2268 wrote to memory of 2236	2268	portperf.exe	44
PID 2268 wrote to memory of 2236	2268	portperf.exe	44
PID 2268 wrote to memory of 2236	2268	portperf.exe	44
PID 2236 wrote to memory of 1632	2236	cmd.exe	46
PID 2236 wrote to memory of 1632	2236	cmd.exe	46
PID 2236 wrote to memory of 1632	2236	cmd.exe	46
PID 2236 wrote to memory of 2368	2236	cmd.exe	47
PID 2236 wrote to memory of 2368	2236	cmd.exe	47
PID 2236 wrote to memory of 2368	2236	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\portperf.exe
"C:\Users\Admin\AppData\Local\Temp\portperf.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\viRWoNPurg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1632
- - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe
    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe

Filesize
829KB

MD5
a054982f7e12c1f491eccd25d9c1b5d7

SHA1
b3c78b1c7c8a95486db06e39f56910d0f3e90996

SHA256
4b6302643800dafe4629960e243ba26663f8510c42f4eaf656b1cc510406e408

SHA512
d57be5af22f21e7c20d330f5714ddcf1936152e3d9bd2254c1a2c83f420bfe183ae204c871b1ce2d8f5361a1661afbe39a9b5bec12fb00195a8c0b967977a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\viRWoNPurg.bat

Filesize
223B

MD5
7e5d29aa8a164e06e3b11ae4133c50d3

SHA1
fc52adb35b03660c2d3c170fd94f38c0df4fd31d

SHA256
53edc5e2472729ec2ee9494a1f2f6e785e8056a6f6c54565ffb509e511d3149a

SHA512
a704effc721959ded5f92bfcdb4b04bff22a1524666432396ce603f655d8cf979f1da26f6127a14c8f7995d5e3f07683c0284ce1ed50b85634d476a5b9aa688a

Download Submit
memory/2268-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000001210000-0x00000000012E6000-memory.dmp

Filesize
856KB

Download
memory/2268-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-15-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-19-0x0000000000D20000-0x0000000000DF6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads