dcrat | e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc

General

Target

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Size

1.4MB
MD5

0745161ebca7b94e13caca7a0f89b7fb
SHA1

9dfb820c738616a08042081cda0c4dcbdbb4a970
SHA256

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc
SHA512

d7bfe29f1e5a73c1dc8e31d148dd4e62265f5d7a3897061cba9d63bfa6541cab77aabfb17f89c090092f980f132a55f7eab5e6da99a2eece21afde3db02a67be
SSDEEP

24576:z2G/nvxW3WwL+zdHJ2zljtfM8zCxqY3+SiSals+S5WhqN7+4H:zbA3f+hp4Zle+SIqNqo

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exee4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		640	schtasks.exe
		2552	schtasks.exe
		784	schtasks.exe
		776	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
		2628	schtasks.exe
		2756	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2168	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016fc9-11.dat	dcrat
behavioral1/memory/2864-13-0x00000000000A0000-0x00000000001BE000-memory.dmp	dcrat
behavioral1/memory/2648-32-0x0000000001380000-0x000000000149E000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exedwm.exe

pid	Process
2864	ReviewsessionbrokerdllBrokerhostNet.exe
2648	dwm.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2996	cmd.exe
2996	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wpcumi\\dwm.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Libraries\\csrss.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\cliconfg\\conhost.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Searches\\smss.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Reviewsessionbrokerdll\\dwm.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\cmd.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in System32 directory 5 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	Process
File created	C:\Windows\System32\wpcumi\dwm.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File opened for modification	C:\Windows\System32\wpcumi\dwm.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\wpcumi\6cb0b6c459d5d3455a3da700e713f2e2529862ff	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\cliconfg\conhost.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\cliconfg\088424020bedd6b28ac7fd22ee35dcd7322895ce	ReviewsessionbrokerdllBrokerhostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
776	schtasks.exe
2628	schtasks.exe
2756	schtasks.exe
640	schtasks.exe
2552	schtasks.exe
784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exedwm.exe

pid	Process
2864	ReviewsessionbrokerdllBrokerhostNet.exe
2648	dwm.exe
2648	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exedwm.exe

description	pid	Process
Token: SeDebugPrivilege	2864	ReviewsessionbrokerdllBrokerhostNet.exe
Token: SeDebugPrivilege	2648	dwm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeWScript.execmd.exeReviewsessionbrokerdllBrokerhostNet.exe

description	pid	Process	procid_target
PID 2820 wrote to memory of 2212	2820	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2820 wrote to memory of 2212	2820	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2820 wrote to memory of 2212	2820	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2820 wrote to memory of 2212	2820	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	30
PID 2212 wrote to memory of 2996	2212	WScript.exe	31
PID 2212 wrote to memory of 2996	2212	WScript.exe	31
PID 2212 wrote to memory of 2996	2212	WScript.exe	31
PID 2212 wrote to memory of 2996	2212	WScript.exe	31
PID 2996 wrote to memory of 2864	2996	cmd.exe	33
PID 2996 wrote to memory of 2864	2996	cmd.exe	33
PID 2996 wrote to memory of 2864	2996	cmd.exe	33
PID 2996 wrote to memory of 2864	2996	cmd.exe	33
PID 2864 wrote to memory of 2648	2864	ReviewsessionbrokerdllBrokerhostNet.exe	41
PID 2864 wrote to memory of 2648	2864	ReviewsessionbrokerdllBrokerhostNet.exe	41
PID 2864 wrote to memory of 2648	2864	ReviewsessionbrokerdllBrokerhostNet.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
"C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe
      "C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\System32\wpcumi\dwm.exe
        
        "C:\Windows\System32\wpcumi\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wpcumi\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\cliconfg\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Reviewsessionbrokerdll\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat

Filesize
67B

MD5
88c29e093073e22265a1b092448f78ff

SHA1
7562a360c1ec30c93f3897fef165265e9b83c641

SHA256
1c948ec9ca40c8a579471b1a7353c3c06cb4c961993962304fb0f60cfaee7333

SHA512
51447ebfe6eaa496eb449bf8ff5184389a6d89ed36042e8916663587e1e0a2b563e8a977adab3d1e7c6c32d7d74eb0b1c7ee21d68b68202d114d877269a76f1e

Download Submit
C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe

Filesize
214B

MD5
f3e2d57473806af2657d0ecc4d9776cb

SHA1
8d215aef321e642586cbdf25d251b60a42aa41c3

SHA256
e05139fb41a25ef9796b27b604fb54b27394e5f5b33874d4b15445d9de2fbcca

SHA512
0d7b22cc29c82c175309ea5da45ce6f159022cc45e21f950add7ce24b3cde62c74b4eb598300bab1e1244fb8a963be29388baa2f6333033fd0dce6c3fcca04db

Download Submit
\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe

Filesize
1.1MB

MD5
1612f102a43924196f6c67852264eee8

SHA1
49b0ca8d344345a84622d020b1b8d4057ab02868

SHA256
cd7d786f6ffe4622aad7f8f7bba9de05c09cf37ed9a4c21a398e92808bd13d35

SHA512
f32d5d110ac8c1356a70fe204c9e12663db2df4f35943532d81b277d597b28da92ec8550957479cb1a070564e8518839469a2a2dac4477b60fa1a203e5b371d4

Download Submit
memory/2648-37-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/2648-32-0x0000000001380000-0x000000000149E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-33-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2648-34-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2648-36-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2648-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-38-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2648-39-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2648-41-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2648-40-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2864-13-0x00000000000A0000-0x00000000001BE000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads