dcrat | e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc

General

Target

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Size

1.4MB
MD5

0745161ebca7b94e13caca7a0f89b7fb
SHA1

9dfb820c738616a08042081cda0c4dcbdbb4a970
SHA256

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc
SHA512

d7bfe29f1e5a73c1dc8e31d148dd4e62265f5d7a3897061cba9d63bfa6541cab77aabfb17f89c090092f980f132a55f7eab5e6da99a2eece21afde3db02a67be
SSDEEP

24576:z2G/nvxW3WwL+zdHJ2zljtfM8zCxqY3+SiSals+S5WhqN7+4H:zbA3f+hp4Zle+SIqNqo

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exee4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2916	schtasks.exe
2224	schtasks.exe
3044	schtasks.exe
2072	schtasks.exe
2876	schtasks.exe
4124	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
2640	schtasks.exe
4640	schtasks.exe
3944	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4712	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe	dcrat
behavioral2/memory/3456-13-0x0000000000880000-0x000000000099E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeWScript.exeReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ReviewsessionbrokerdllBrokerhostNet.exe

Executes dropped EXE 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exeunsecapp.exe

pid process

3456 ReviewsessionbrokerdllBrokerhostNet.exe
4884 unsecapp.exe

pid	process
3456	ReviewsessionbrokerdllBrokerhostNet.exe
4884	unsecapp.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\OfficeClickToRun.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\ucrtbase_enclave\\fontdrvhost.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Documents and Settings\\sihost.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\PerfLogs\\dwm.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\ProgramData\\Package Cache\\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\\sysmon.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\spoolsv.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\ShellExperiences\\SppExtComObj.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ReviewsessionbrokerdllBrokerhostNet = "\"C:\\Reviewsessionbrokerdll\\ReviewsessionbrokerdllBrokerhostNet\\ReviewsessionbrokerdllBrokerhostNet.exe\""	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in System32 directory 4 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	process
File created	C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\wbem\portabledevicetypes\29c1c3cc0f76855c7e7456076a4ffc27e4947119	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\ucrtbase_enclave\fontdrvhost.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\System32\ucrtbase_enclave\5b884080fd4f94e2695da25c503f9e33b9605b83	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in Program Files directory 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\OfficeClickToRun.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\e6c9b481da804f07baff8eff543b0a1441069b5d	ReviewsessionbrokerdllBrokerhostNet.exe

Drops file in Windows directory 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exe

description	ioc	process
File created	C:\Windows\ShellExperiences\SppExtComObj.exe	ReviewsessionbrokerdllBrokerhostNet.exe
File created	C:\Windows\ShellExperiences\e1ef82546f0b02b7e974f28047f3788b1128cce1	ReviewsessionbrokerdllBrokerhostNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exee4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2640	schtasks.exe
2916	schtasks.exe
3944	schtasks.exe
2072	schtasks.exe
4124	schtasks.exe
2224	schtasks.exe
4640	schtasks.exe
3044	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exeunsecapp.exe

pid process

3456 ReviewsessionbrokerdllBrokerhostNet.exe
4884 unsecapp.exe
4884 unsecapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ReviewsessionbrokerdllBrokerhostNet.exeunsecapp.exe

description pid process

Token: SeDebugPrivilege 3456 ReviewsessionbrokerdllBrokerhostNet.exe
Token: SeDebugPrivilege 4884 unsecapp.exe

pid	process
3456	ReviewsessionbrokerdllBrokerhostNet.exe
4884	unsecapp.exe
4884	unsecapp.exe

description	pid	process
Token: SeDebugPrivilege	3456	ReviewsessionbrokerdllBrokerhostNet.exe
Token: SeDebugPrivilege	4884	unsecapp.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exeWScript.execmd.exeReviewsessionbrokerdllBrokerhostNet.exe

description	pid	process	target process
PID 1512 wrote to memory of 4584	1512	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	WScript.exe
PID 1512 wrote to memory of 4584	1512	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	WScript.exe
PID 1512 wrote to memory of 4584	1512	e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe	WScript.exe
PID 4584 wrote to memory of 3676	4584	WScript.exe	cmd.exe
PID 4584 wrote to memory of 3676	4584	WScript.exe	cmd.exe
PID 4584 wrote to memory of 3676	4584	WScript.exe	cmd.exe
PID 3676 wrote to memory of 3456	3676	cmd.exe	ReviewsessionbrokerdllBrokerhostNet.exe
PID 3676 wrote to memory of 3456	3676	cmd.exe	ReviewsessionbrokerdllBrokerhostNet.exe
PID 3456 wrote to memory of 4884	3456	ReviewsessionbrokerdllBrokerhostNet.exe	unsecapp.exe
PID 3456 wrote to memory of 4884	3456	ReviewsessionbrokerdllBrokerhostNet.exe	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe
"C:\Users\Admin\AppData\Local\Temp\e4ddc55ae7aa7e087eadaa449eeed1a7de253565f7b2ef53c2e9bfec5d55dcfc.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe
      "C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe
        
        "C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ReviewsessionbrokerdllBrokerhostNet" /sc ONLOGON /tr "'C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet\ReviewsessionbrokerdllBrokerhostNet.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\ucrtbase_enclave\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewsessionbrokerdll\A6Eco3zU0RirI70.bat

Filesize
67B

MD5
88c29e093073e22265a1b092448f78ff

SHA1
7562a360c1ec30c93f3897fef165265e9b83c641

SHA256
1c948ec9ca40c8a579471b1a7353c3c06cb4c961993962304fb0f60cfaee7333

SHA512
51447ebfe6eaa496eb449bf8ff5184389a6d89ed36042e8916663587e1e0a2b563e8a977adab3d1e7c6c32d7d74eb0b1c7ee21d68b68202d114d877269a76f1e

Download Submit
C:\Reviewsessionbrokerdll\ReviewsessionbrokerdllBrokerhostNet.exe

Filesize
1.1MB

MD5
1612f102a43924196f6c67852264eee8

SHA1
49b0ca8d344345a84622d020b1b8d4057ab02868

SHA256
cd7d786f6ffe4622aad7f8f7bba9de05c09cf37ed9a4c21a398e92808bd13d35

SHA512
f32d5d110ac8c1356a70fe204c9e12663db2df4f35943532d81b277d597b28da92ec8550957479cb1a070564e8518839469a2a2dac4477b60fa1a203e5b371d4

Download Submit
C:\Reviewsessionbrokerdll\lVMLXJBAdPIapT.vbe

Filesize
214B

MD5
f3e2d57473806af2657d0ecc4d9776cb

SHA1
8d215aef321e642586cbdf25d251b60a42aa41c3

SHA256
e05139fb41a25ef9796b27b604fb54b27394e5f5b33874d4b15445d9de2fbcca

SHA512
0d7b22cc29c82c175309ea5da45ce6f159022cc45e21f950add7ce24b3cde62c74b4eb598300bab1e1244fb8a963be29388baa2f6333033fd0dce6c3fcca04db

Download Submit
memory/3456-12-0x00007FFC2DE83000-0x00007FFC2DE85000-memory.dmp

Filesize
8KB

Download
memory/3456-13-0x0000000000880000-0x000000000099E000-memory.dmp

Filesize
1.1MB

Download
memory/4884-44-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

Filesize
40KB

Download
memory/4884-43-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/4884-45-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/4884-46-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/4884-47-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/4884-48-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/4884-49-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/4884-50-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/4884-51-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads