dcrat | 2940b96b58506a050c9a5a26a01407e699e4e326955bbe5ea72505b392d0459e

General

Target

05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Size

828KB
MD5

deb7ba77dcf2e54fb23d1a9b0e51088d
SHA1

6468abad160c22594fc014d948963ba4a8565074
SHA256

05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077
SHA512

18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2
SSDEEP

12288:GKLmyuewe+aR5pDIBqIBpoAmxkPnGZKYKvwdUyBWwKoX6t:GoBuQ+I5p5qpLhu33BWwXqt

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4072	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4072	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4844-1-0x0000000000F80000-0x0000000001056000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca9-14.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe

Executes dropped EXE 1 IoCs

pid	Process
828	services.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\69ddcba757bf72	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\debug\services.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\debug\c5b4cb5e9653cc	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\Containers\serviced\SearchApp.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\Containers\serviced\38384e6a620884	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\ImmersiveControlPanel\fr-FR\RuntimeBroker.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
File created	C:\Windows\appcompat\smss.exe	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4288	schtasks.exe
956	schtasks.exe
624	schtasks.exe
3728	schtasks.exe
4444	schtasks.exe
2148	schtasks.exe
3340	schtasks.exe
1400	schtasks.exe
5068	schtasks.exe
4220	schtasks.exe
1228	schtasks.exe
4012	schtasks.exe
2316	schtasks.exe
2984	schtasks.exe
3672	schtasks.exe
2168	schtasks.exe
1472	schtasks.exe
5032	schtasks.exe
4712	schtasks.exe
4720	schtasks.exe
920	schtasks.exe
4896	schtasks.exe
4492	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
4796	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe
828	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Token: SeDebugPrivilege	4796	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
Token: SeDebugPrivilege	828	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4796	4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	92
PID 4844 wrote to memory of 4796	4844	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	92
PID 4796 wrote to memory of 924	4796	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	108
PID 4796 wrote to memory of 924	4796	05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe	108
PID 924 wrote to memory of 1980	924	cmd.exe	110
PID 924 wrote to memory of 1980	924	cmd.exe	110
PID 924 wrote to memory of 828	924	cmd.exe	111
PID 924 wrote to memory of 828	924	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
"C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe
  "C:\Users\Admin\AppData\Local\Temp\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EZHjxUoIyY.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1980
  - - C:\Windows\debug\services.exe
      "C:\Windows\debug\services.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\appcompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\setup\upfc.exe

Filesize
828KB

MD5
deb7ba77dcf2e54fb23d1a9b0e51088d

SHA1
6468abad160c22594fc014d948963ba4a8565074

SHA256
05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

SHA512
18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZHjxUoIyY.bat

Filesize
194B

MD5
1b8ad8f1e73176b1c86daab88a2298a9

SHA1
9f719b2f89102b724c660d94e1b49bdb3d1ae497

SHA256
e619d61373c6ff6eab67af8d1f8d4e964eb5781ea1e5a91662e410b252ee3da2

SHA512
5a5f423f1d146b7781cbc8f657821484cf5cececd65a155f43731a7f7b568572cac62d4f013d74bc33ba09c2394ec499abb0ae89979513528eb6b7430592439b

Download Submit
memory/4844-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

Filesize
8KB

Download
memory/4844-1-0x0000000000F80000-0x0000000001056000-memory.dmp

Filesize
856KB

Download
memory/4844-3-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/4844-11-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads