dcrat | a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f

General

Target

a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
Size

829KB
MD5

c1e4e11944792099b0b4b025a0cb73ce
SHA1

cb597d2428f984adb899629110c219a6c52bdb1b
SHA256

a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f
SHA512

6c10e3dd49f5f88d5c330558841f90a449272df6eb6b5e8da518d1428b8b700865c2e33d5f83276c423b7876fd5e489a019a09ba97eed7e28413acaa6155806e
SSDEEP

24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7h:b2rejxtDydhck

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1464	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1464	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000210000-0x00000000002E6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019234-11.dat	dcrat
behavioral1/memory/1980-25-0x00000000008C0000-0x0000000000996000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1980	Idle.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\taskhost.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\b75386f1303e64	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Program Files\MSBuild\Idle.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Program Files\MSBuild\6ccacd8608530f	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\ja-JP\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Windows\DigitalLocker\ja-JP\e41476e6dc6923	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Windows\SchCache\audiodg.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Windows\SchCache\42af1c969fbb7b	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Windows\L2Schemas\csrss.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe
2024	schtasks.exe
568	schtasks.exe
2856	schtasks.exe
2580	schtasks.exe
1156	schtasks.exe
2564	schtasks.exe
2780	schtasks.exe
2612	schtasks.exe
2632	schtasks.exe
2884	schtasks.exe
1964	schtasks.exe
804	schtasks.exe
2932	schtasks.exe
1900	schtasks.exe
1376	schtasks.exe
108	schtasks.exe
2724	schtasks.exe
1148	schtasks.exe
2712	schtasks.exe
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2896	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe
1980	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1980	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
Token: SeDebugPrivilege	1980	Idle.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2468	2896	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe	53
PID 2896 wrote to memory of 2468	2896	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe	53
PID 2896 wrote to memory of 2468	2896	a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe	53
PID 2468 wrote to memory of 1220	2468	cmd.exe	55
PID 2468 wrote to memory of 1220	2468	cmd.exe	55
PID 2468 wrote to memory of 1220	2468	cmd.exe	55
PID 2468 wrote to memory of 1980	2468	cmd.exe	56
PID 2468 wrote to memory of 1980	2468	cmd.exe	56
PID 2468 wrote to memory of 1980	2468	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe
"C:\Users\Admin\AppData\Local\Temp\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r0wdLKtTtN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1220
- - C:\Program Files\MSBuild\Idle.exe
    "C:\Program Files\MSBuild\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47fa" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\ja-JP\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47fa" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\ja-JP\a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\explorer.exe

Filesize
829KB

MD5
c1e4e11944792099b0b4b025a0cb73ce

SHA1
cb597d2428f984adb899629110c219a6c52bdb1b

SHA256
a67614523d94924cc7ee727899a7be4208661c3d80c8fd6e0af1e366a109b47f

SHA512
6c10e3dd49f5f88d5c330558841f90a449272df6eb6b5e8da518d1428b8b700865c2e33d5f83276c423b7876fd5e489a019a09ba97eed7e28413acaa6155806e

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0wdLKtTtN.bat

Filesize
198B

MD5
a92e07c99abfc0267ae63dafd5a904f8

SHA1
e1f706624a3e0ac176bb48d35e17580b68a67519

SHA256
bf1c1da5c301b9db86794e53365d7bd9263cff3ce8b85b40b076046e7eb495cc

SHA512
96fe1c0b3fb5939c4aedfa3823abf386632e8173c3f041ae643f1e981281f1322d3f1a270f5554f4daa7bc722d97f3eec16d67ef9697f115e5b7d15d6c8d6f0b

Download Submit
memory/1980-25-0x00000000008C0000-0x0000000000996000-memory.dmp

Filesize
856KB

Download
memory/2896-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x0000000000210000-0x00000000002E6000-memory.dmp

Filesize
856KB

Download
memory/2896-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-22-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads