dcrat | 05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

General

Target

05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Size

828KB
MD5

deb7ba77dcf2e54fb23d1a9b0e51088d
SHA1

6468abad160c22594fc014d948963ba4a8565074
SHA256

05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077
SHA512

18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2
SSDEEP

12288:GKLmyuewe+aR5pDIBqIBpoAmxkPnGZKYKvwdUyBWwKoX6t:GoBuQ+I5p5qpLhu33BWwXqt

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2264	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2540-1-0x0000000001300000-0x00000000013D6000-memory.dmp	dcrat
behavioral1/files/0x000500000001a41e-11.dat	dcrat
behavioral1/memory/1284-27-0x00000000011C0000-0x0000000001296000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1284	OSPPSVC.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files\DVD Maker\es-ES\csrss.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\7a0fd90576e088	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files\DVD Maker\es-ES\886983d96e3d3e	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\lsass.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\es-ES\6203df4a6bafc7	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
2084	schtasks.exe
2884	schtasks.exe
2824	schtasks.exe
2864	schtasks.exe
2152	schtasks.exe
1340	schtasks.exe
2604	schtasks.exe
1244	schtasks.exe
2744	schtasks.exe
2788	schtasks.exe
2656	schtasks.exe
2184	schtasks.exe
384	schtasks.exe
1952	schtasks.exe
1600	schtasks.exe
2916	schtasks.exe
2256	schtasks.exe
2756	schtasks.exe
2860	schtasks.exe
2980	schtasks.exe
2880	schtasks.exe
1424	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe
1284	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Token: SeDebugPrivilege	1284	OSPPSVC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1572	2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	55
PID 2540 wrote to memory of 1572	2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	55
PID 2540 wrote to memory of 1572	2540	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	55
PID 1572 wrote to memory of 1420	1572	cmd.exe	57
PID 1572 wrote to memory of 1420	1572	cmd.exe	57
PID 1572 wrote to memory of 1420	1572	cmd.exe	57
PID 1572 wrote to memory of 1284	1572	cmd.exe	58
PID 1572 wrote to memory of 1284	1572	cmd.exe	58
PID 1572 wrote to memory of 1284	1572	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
"C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RZ53OVoIdY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1420
- - C:\Users\Admin\Start Menu\OSPPSVC.exe
    "C:\Users\Admin\Start Menu\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RZ53OVoIdY.bat

Filesize
202B

MD5
cfa2aebfd66d410b789870ca4b243802

SHA1
931bcc0742ff0634d51946032ad0f2df5b1a54d2

SHA256
49ae2b61a79d677d56eef4a855e456c00b31e56485cd7ea2d10a3ac7ebbcb46b

SHA512
b91bbefe84bc87ca9ef6cc3e1b56acd92ec59f6065433093534e8e589041652a29fa6455167a19d211cadce5ede31a90e8ae79ba4d0aa3c44df4857f20db7d90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\OSPPSVC.exe

Filesize
828KB

MD5
deb7ba77dcf2e54fb23d1a9b0e51088d

SHA1
6468abad160c22594fc014d948963ba4a8565074

SHA256
05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

SHA512
18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2

Download Submit
memory/1284-27-0x00000000011C0000-0x0000000001296000-memory.dmp

Filesize
856KB

Download
memory/2540-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000001300000-0x00000000013D6000-memory.dmp

Filesize
856KB

Download
memory/2540-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-24-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads