dcrat | b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

General

Target

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Size

912KB
MD5

ce162876a4c72ca0da4b96a16a5833ac
SHA1

c1e7998c66f153719672bbd1e7fe6103a12869c2
SHA256

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04
SHA512

1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6
SSDEEP

24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4e:Rswq63IEUj

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4088	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4088	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/428-1-0x00000000007A0000-0x000000000088C000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b95-14.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid	Process
4728	winlogon.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\KBDYAK\\dllhost.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\APHostRes\\winlogon.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\mavinject\\dwm.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\csrss.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\KBDTIPRC\\backgroundTaskHost.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\ksproxy\\taskhostw.exe\""	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Drops file in System32 directory 11 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
File created	C:\Windows\System32\mavinject\dwm.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\mavinject\6cb0b6c459d5d3455a3da700e713f2e2529862ff	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDTIPRC\backgroundTaskHost.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDTIPRC\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDYAK\dllhost.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File opened for modification	C:\Windows\System32\KBDYAK\dllhost.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\KBDYAK\5940a34987c99120d96dace90a3f93f329dcad63	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\ksproxy\taskhostw.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\ksproxy\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\APHostRes\winlogon.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\System32\APHostRes\cc11b995f2a76da408ea6a601e682e64743153ad	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Drops file in Program Files directory 3 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\886983d96e3d3e31032c679b2d4ea91b6c05afef	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Drops file in Windows directory 2 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\38384e6a620884a6b69bcc56f80d556f9200171c	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3752	schtasks.exe
4612	schtasks.exe
4616	schtasks.exe
224	schtasks.exe
4784	schtasks.exe
3264	schtasks.exe
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exewinlogon.exe

pid	Process
428	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
3808	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
4728	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exewinlogon.exe

description	pid	Process
Token: SeDebugPrivilege	428	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Token: SeDebugPrivilege	3808	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
Token: SeDebugPrivilege	4728	winlogon.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exeb868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.execmd.exe

description	pid	Process	procid_target
PID 428 wrote to memory of 3808	428	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	87
PID 428 wrote to memory of 3808	428	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	87
PID 3808 wrote to memory of 2876	3808	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	92
PID 3808 wrote to memory of 2876	3808	b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe	92
PID 2876 wrote to memory of 2372	2876	cmd.exe	94
PID 2876 wrote to memory of 2372	2876	cmd.exe	94
PID 2876 wrote to memory of 4728	2876	cmd.exe	100
PID 2876 wrote to memory of 4728	2876	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
"C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe
  "C:\Users\Admin\AppData\Local\Temp\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kGHWSqGQto.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2372
  - - C:\Windows\System32\APHostRes\winlogon.exe
      "C:\Windows\System32\APHostRes\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\KBDTIPRC\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\ksproxy\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDYAK\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\APHostRes\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\mavinject\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGHWSqGQto.bat

Filesize
206B

MD5
b2f1d4908d340aa541f08f66af164c40

SHA1
4a9a65cc7954d96496d46a37ab889541647472de

SHA256
3c48cb6c502a0a2aa3e6d2ef04f7fb627d3bf16e8a75b0fecbdf9c40f42a3a7b

SHA512
44e976a7f7363fdf4aebf448ee955f64c0a2b85e2e2b79cd28ce581c9957374afb9e40102c62dc3e50aed5a7ab892579e46d52dcb2120407f84bc12e1c64276b

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe

Filesize
912KB

MD5
ce162876a4c72ca0da4b96a16a5833ac

SHA1
c1e7998c66f153719672bbd1e7fe6103a12869c2

SHA256
b868e4ba796b5bb6cbf37136fa41fb1cdb4c4ac05187b11df98c05b053b51e04

SHA512
1fe9474a4bfd6a4a74f8e4db88e4719ad6b1aa0a4efafc12e29a207ebc969284c96a276ad06e44ccd91f8f260f7e076c4b1a8d4504dd0ebd0d9017dbde1c4cd6

Download Submit
memory/428-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

Filesize
8KB

Download
memory/428-1-0x00000000007A0000-0x000000000088C000-memory.dmp

Filesize
944KB

Download
memory/428-4-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/428-11-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads