dcrat | b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

General

Target

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Size

912KB
MD5

ce162876a4c72ca0da4b96a16a5833ac
SHA1

c1e7998c66f153719672bbd1e7fe6103a12869c2
SHA256

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04
SHA512

1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6
SSDEEP

24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4e:Rswq63IEUj

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2760	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2844-1-0x0000000000050000-0x000000000013C000-memory.dmp	dcrat
behavioral1/files/0x000500000001927a-11.dat	dcrat
behavioral1/memory/1556-31-0x0000000000C80000-0x0000000000D6C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1556	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsetup\\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDUGHR1\\spoolsv.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\taskhost.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\msg711\\wininit.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\wmdmlog\\smss.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\tapilua\\lsass.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\lsass.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Uninstall Information\\sppsvc.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\PortableDeviceStatus\\taskhost.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\C_949\\sppsvc.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\C_949\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\wmdmlog\smss.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\wmdmlog\69ddcba757bf72f7d36c464c71f42baab150b2b9	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\msg711\560854153607923c4c5f107085a7db67be01f252	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\PortableDeviceStatus\b75386f1303e64d8139363b71e44ac16341adf4e	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\C_949\sppsvc.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\PortableDeviceStatus\taskhost.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\tapilua\lsass.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\tapilua\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDUGHR1\spoolsv.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDUGHR1\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\msg711\wininit.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\lsass.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\lsass.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Uninstall Information\sppsvc.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\b75386f1303e64d8139363b71e44ac16341adf4e	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe
532	schtasks.exe
2600	schtasks.exe
2640	schtasks.exe
2408	schtasks.exe
2012	schtasks.exe
2848	schtasks.exe
2748	schtasks.exe
1892	schtasks.exe
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
1556	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Token: SeDebugPrivilege	1556	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1620	2844	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	42
PID 2844 wrote to memory of 1620	2844	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	42
PID 2844 wrote to memory of 1620	2844	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	42
PID 1620 wrote to memory of 1160	1620	cmd.exe	44
PID 1620 wrote to memory of 1160	1620	cmd.exe	44
PID 1620 wrote to memory of 1160	1620	cmd.exe	44
PID 1620 wrote to memory of 1556	1620	cmd.exe	45
PID 1620 wrote to memory of 1556	1620	cmd.exe	45
PID 1620 wrote to memory of 1556	1620	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
"C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HnZmGZYbrU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\wmsetup\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
    "C:\Users\Admin\AppData\Local\Temp\wmsetup\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\wmsetup\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDUGHR1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\msg711\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\PortableDeviceStatus\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\C_949\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\wmdmlog\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\tapilua\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\taskhost.exe

Filesize
912KB

MD5
ce162876a4c72ca0da4b96a16a5833ac

SHA1
c1e7998c66f153719672bbd1e7fe6103a12869c2

SHA256
b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

SHA512
1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnZmGZYbrU.bat

Filesize
274B

MD5
3b122d058441848a06abe3ee4229f02a

SHA1
24ba34d84e22a2fdc46920b50403240d10cb8aab

SHA256
e7d8598619db2dc4cf4322279ed743e1e244ad7dd53c006d3972a1dd30e1428e

SHA512
ec5215ff23f49c9433d6a96f1b9922107f5acc546cba005ed617891978ddf3407a40d87d0422e9ce06d0afe7f4149cb462506ea15afb70286afc70a9538773b6

Download Submit
memory/1556-31-0x0000000000C80000-0x0000000000D6C000-memory.dmp

Filesize
944KB

Download
memory/2844-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000000050000-0x000000000013C000-memory.dmp

Filesize
944KB

Download
memory/2844-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-27-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads