dcrat | 4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323

General

Target

4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe
Size

924KB
MD5

e44a6dd4f61c4c3138fc1c81f13ce0a9
SHA1

a8479aee1b3e22cd059cf38b3110d69a5504102b
SHA256

4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323
SHA512

ec423fe26d7e9a7a726bbbfe2d7dd7c0235c6bc3111e795d0d99b4ee76b453d1e548bd943e29ee7d607a7f39ed8f78f20ae5885d77f8e6db35607806616b3219
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RboqnOH0qhDD2hBM5biqZUAu09SwRRpfcg:U2G/nvxW3Ww0to+OHt7iefRpft

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2712	schtasks.exe
		2616	schtasks.exe
		1224	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe
		2732	schtasks.exe
		2724	schtasks.exe
		2788	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2808	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000161fb-9.dat	dcrat
behavioral1/memory/2780-13-0x0000000000F00000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2588-33-0x00000000008F0000-0x0000000000990000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2780	SessionHostmonitorNetsavesHost.exe
2588	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	cmd.exe
1844	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SessionHostmonitorNetsavesHost = "\"C:\\ProgramData\\Adobe\\Acrobat\\9.0\\Replicate\\Security\\SessionHostmonitorNetsavesHost.exe\""	SessionHostmonitorNetsavesHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\RpcNs4\\sppsvc.exe\""	SessionHostmonitorNetsavesHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\RmClient\\taskhost.exe\""	SessionHostmonitorNetsavesHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\uudf\\conhost.exe\""	SessionHostmonitorNetsavesHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	SessionHostmonitorNetsavesHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	SessionHostmonitorNetsavesHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\RpcNs4\sppsvc.exe	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\RpcNs4\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\RmClient\taskhost.exe	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\RmClient\b75386f1303e64d8139363b71e44ac16341adf4e	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\uudf\conhost.exe	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\uudf\088424020bedd6b28ac7fd22ee35dcd7322895ce	SessionHostmonitorNetsavesHost.exe
File created	C:\Windows\System32\RpcNs4\sppsvc.exe	SessionHostmonitorNetsavesHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
2788	schtasks.exe
2712	schtasks.exe
2616	schtasks.exe
1224	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2780	SessionHostmonitorNetsavesHost.exe
2588	conhost.exe
2588	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	SessionHostmonitorNetsavesHost.exe
Token: SeDebugPrivilege	2588	conhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1704	2368	4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe	30
PID 2368 wrote to memory of 1704	2368	4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe	30
PID 2368 wrote to memory of 1704	2368	4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe	30
PID 2368 wrote to memory of 1704	2368	4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe	30
PID 1704 wrote to memory of 1844	1704	WScript.exe	31
PID 1704 wrote to memory of 1844	1704	WScript.exe	31
PID 1704 wrote to memory of 1844	1704	WScript.exe	31
PID 1704 wrote to memory of 1844	1704	WScript.exe	31
PID 1844 wrote to memory of 2780	1844	cmd.exe	33
PID 1844 wrote to memory of 2780	1844	cmd.exe	33
PID 1844 wrote to memory of 2780	1844	cmd.exe	33
PID 1844 wrote to memory of 2780	1844	cmd.exe	33
PID 2780 wrote to memory of 2768	2780	SessionHostmonitorNetsavesHost.exe	41
PID 2780 wrote to memory of 2768	2780	SessionHostmonitorNetsavesHost.exe	41
PID 2780 wrote to memory of 2768	2780	SessionHostmonitorNetsavesHost.exe	41
PID 2768 wrote to memory of 1540	2768	cmd.exe	43
PID 2768 wrote to memory of 1540	2768	cmd.exe	43
PID 2768 wrote to memory of 1540	2768	cmd.exe	43
PID 2768 wrote to memory of 2588	2768	cmd.exe	45
PID 2768 wrote to memory of 2588	2768	cmd.exe	45
PID 2768 wrote to memory of 2588	2768	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe
"C:\Users\Admin\AppData\Local\Temp\4003b5df5836f6ce600e34bb1471180d392df97d8bf451512ccb55a7545fb323.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\mLzymvMiirrQOXPEyjXJ5QZUzTtHfO.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\t3VXd.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\SessionHostmonitorNetsavesHost.exe
      "C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\SessionHostmonitorNetsavesHost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hTS6c9kvsv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1540
      - C:\Windows\System32\uudf\conhost.exe
        
        "C:\Windows\System32\uudf\conhost.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\RpcNs4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\RmClient\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\uudf\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SessionHostmonitorNetsavesHost" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\SessionHostmonitorNetsavesHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\mLzymvMiirrQOXPEyjXJ5QZUzTtHfO.vbe

Filesize
207B

MD5
fe43d6574e51bfef72c4cdc63b217db5

SHA1
4f0e06ab9c15cf1aa385b6ab773d308c6e334d9d

SHA256
6c29dd00d17230a1bc450d51e2387cf502fd33956e661a8adee8057c19a6d7dc

SHA512
053e00973ba2f04ff3db1b33f9129288123c5ba209c8c28082d111607bdb599dad385db881d7898e45826a455d35fabc396b1925d31359066a5924e339162a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\t3VXd.bat

Filesize
65B

MD5
3d340aff29db3e924132c091f33d802b

SHA1
58c02b709a43b3548227fac0765e706cdbb2f5a7

SHA256
931b38c3661c01a98f5e0c1a1723d846b32bf3911a2780e5398994605dde3c41

SHA512
afbe5c7647bd758aaf625859988b0e4166b36db48890acae768f9d795d3497a289b4fb427dacef09872b99006652f4b0ab03bf42bd27612e89f4b3917684b5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTS6c9kvsv.bat

Filesize
200B

MD5
a7599c31b6afe3577c5546418fc7e4d5

SHA1
051650c065b2c341ef7bb3f5396e1f200de76f65

SHA256
5a198b70030359fada90d477045b87dd1337bf1166c1e35843543ef659caef66

SHA512
1ff3ce5af37968f3d8821910f5f3d1075613281e6ef12b2756ce41ed3c758ae429ddd5c6a1201824b952aa846f99e1317dab3675472874cc9e647ae83639e002

Download Submit
\Users\Admin\AppData\Local\Temp\SessionHostmonitorNet\SessionHostmonitorNetsavesHost.exe

Filesize
615KB

MD5
e915469eca8f027672aedc6241ab4ea4

SHA1
4a28d6a2eafad121f47c118866da6ee9de2a6829

SHA256
f086f15de0d2fba478956f12f96d5a5f11f7ad0048a3ea694d226e062f4b99cf

SHA512
5889f84f0043c293dd74f5d8e859575317a93a823ccd1b7295dd70e7d1ea4354b282da7c69692e37de797fde705118455232244acba2f64d22d28172fd6a22db

Download Submit
memory/2588-33-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/2588-36-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2588-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2588-37-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2588-39-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2588-38-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2588-34-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2780-13-0x0000000000F00000-0x0000000000FA0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads