dcrat | 951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995

General

Target

951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Size

1.2MB
MD5

933f355a4f402ba188c67b860b0f5580
SHA1

286104343cbb8b11a8b0ae70b758345fbd6dfedb
SHA256

951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995
SHA512

cdfadc8f578e907fb3a2bcf8583adf407fba18141599213cc23940cd3afec9ae119f7aa0ea65920f0678b085c0f7bce0fc9814f5af23e5541a778f37f4b9f838
SSDEEP

24576:pw21qwzs2PGLze66eAUr9tkTSY3kuii5nRO6:pwYNVeFPkT0uii5n4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2252	schtasks.exe
2860	schtasks.exe
2612	schtasks.exe
2972	schtasks.exe
2556	schtasks.exe
972	schtasks.exe
2552	schtasks.exe
2660	schtasks.exe
2988	schtasks.exe
584	schtasks.exe
624	schtasks.exe
2528	schtasks.exe
2872	schtasks.exe
2356	schtasks.exe
1852	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Windows\\Branding\\Basebrd\\en-US\\OSPPSVC.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2708	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2668-1-0x00000000012B0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/files/0x00050000000194db-15.dat	dcrat
behavioral1/memory/2732-26-0x0000000000980000-0x0000000000AC0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2732	explorer.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\sppsvc.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Branding\\Basebrd\\en-US\\OSPPSVC.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Branding\\Basebrd\\en-US\\OSPPSVC.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\wininit.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\""	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\56085415360792	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
File created	C:\Program Files (x86)\Windows Media Player\wininit.exe	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\en-US\OSPPSVC.exe	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
File created	C:\Windows\Branding\Basebrd\en-US\1610b97d3ab4a7	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
972	schtasks.exe
584	schtasks.exe
2552	schtasks.exe
2528	schtasks.exe
2252	schtasks.exe
2988	schtasks.exe
1852	schtasks.exe
2872	schtasks.exe
2556	schtasks.exe
2356	schtasks.exe
624	schtasks.exe
2660	schtasks.exe
2860	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
2732	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
Token: SeDebugPrivilege	2732	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2040	2668	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe	47
PID 2668 wrote to memory of 2040	2668	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe	47
PID 2668 wrote to memory of 2040	2668	951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe	47
PID 2040 wrote to memory of 1444	2040	cmd.exe	49
PID 2040 wrote to memory of 1444	2040	cmd.exe	49
PID 2040 wrote to memory of 1444	2040	cmd.exe	49
PID 2040 wrote to memory of 2732	2040	cmd.exe	50
PID 2040 wrote to memory of 2732	2040	cmd.exe	50
PID 2040 wrote to memory of 2732	2040	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe
"C:\Users\Admin\AppData\Local\Temp\951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVhpEtOzSa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1444
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\en-US\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RVhpEtOzSa.bat

Filesize
240B

MD5
180e0d737c4a521d3dcbeabd4731f8b8

SHA1
bf565bac8e691885715b23a237b4ffd573e50719

SHA256
bc318d641886693739a8e5fa5a3752a90023e90d2e33792c3243ecce79883329

SHA512
dd41e6cdf37b22ac012a18b16bbc71b25ee79f84e7c934b3a9a256be1b8b1da680f3620ba6083d348ffdc969f66089e8f8ac6b18614be36951252c235f53634b

Download Submit
C:\Windows\Branding\Basebrd\en-US\OSPPSVC.exe

Filesize
1.2MB

MD5
933f355a4f402ba188c67b860b0f5580

SHA1
286104343cbb8b11a8b0ae70b758345fbd6dfedb

SHA256
951047a83dbf3d1fb4a554790fb8070190c6539dc4406ba0977579920397d995

SHA512
cdfadc8f578e907fb3a2bcf8583adf407fba18141599213cc23940cd3afec9ae119f7aa0ea65920f0678b085c0f7bce0fc9814f5af23e5541a778f37f4b9f838

Download Submit
memory/2668-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x00000000012B0000-0x00000000013F0000-memory.dmp

Filesize
1.2MB

Download
memory/2668-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2668-5-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2668-4-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2668-6-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2668-22-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-26-0x0000000000980000-0x0000000000AC0000-memory.dmp

Filesize
1.2MB

Download
memory/2732-27-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads