dcrat | cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07

General

Target

cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Size

682KB
MD5

e5e4996e98303646d51296cd1a292e8d
SHA1

d023ebe75fb01aa822f3788765be68108b3197df
SHA256

cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07
SHA512

57f5299aeefa22032c9e7df3d1c39d1a33504c1ec1ea5c80bf7fbf8b78042b9bfcae81155fcbfed24e7b9a603b960b2285872765b4c2dbed1bda6aa8e3db4ca3
SSDEEP

12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B+:h+O3mwJnCRvEMxnDVSwgYc

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	848	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1812-1-0x0000000001250000-0x0000000001302000-memory.dmp	dcrat
behavioral1/files/0x00050000000193f8-17.dat	dcrat
behavioral1/files/0x00090000000194d4-66.dat	dcrat
behavioral1/files/0x00060000000194a7-78.dat	dcrat
behavioral1/memory/1844-88-0x0000000000AF0000-0x0000000000BA2000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1844	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno5025\\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe\""	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsetup\\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe\""	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\System32\\hr-HR\\OSPPSVC.exe\""	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\Theme Effects\\services.exe\""	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\PLA\\Templates\\smss.exe\""	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\hr-HR\OSPPSVC.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File created	C:\Windows\System32\hr-HR\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\System32\hr-HR\RCXCC3B.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\System32\hr-HR\RCXCC3C.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\System32\hr-HR\OSPPSVC.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCXCEAE.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\services.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\services.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCXCE3F.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Templates\69ddcba757bf72f7d36c464c71f42baab150b2b9	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\PLA\Templates\RCXD12E.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\PLA\Templates\RCXD19C.tmp	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File opened for modification	C:\Windows\PLA\Templates\smss.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
File created	C:\Windows\PLA\Templates\smss.exe	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2176	schtasks.exe
376	schtasks.exe
824	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1812	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
1844	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Token: SeDebugPrivilege	1844	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1844	1812	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe	37
PID 1812 wrote to memory of 1844	1812	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe	37
PID 1812 wrote to memory of 1844	1812	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe	37

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
"C:\Users\Admin\AppData\Local\Temp\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1812
- C:\Users\Admin\AppData\Local\Temp\Kno5025\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe
  "C:\Users\Admin\AppData\Local\Temp\Kno5025\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Kno5025\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\wmsetup\cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\hr-HR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\services.exe

Filesize
682KB

MD5
becd8205763ebc639078fc7615e3355f

SHA1
06173a69ca345a33fa9a93540250be604554c354

SHA256
65d9a237528cbd6698a15cfb05411f07207b17ea133dfff132d487f4dedfb694

SHA512
67b32d4eec07fab000d544d0d12c0455e0054b5f4448de46db186d113841c5e84b7d531c75c2e4542a2fbc6135e7137c8e905110a38196ed863772f7c544509d

Download Submit
C:\Windows\PLA\Templates\smss.exe

Filesize
682KB

MD5
e5e4996e98303646d51296cd1a292e8d

SHA1
d023ebe75fb01aa822f3788765be68108b3197df

SHA256
cacc2bcd375c4f4705b4b445eef937f7534600d7e39bc8d497e6b36a2f0c6a07

SHA512
57f5299aeefa22032c9e7df3d1c39d1a33504c1ec1ea5c80bf7fbf8b78042b9bfcae81155fcbfed24e7b9a603b960b2285872765b4c2dbed1bda6aa8e3db4ca3

Download Submit
C:\Windows\PLA\Templates\smss.exe

Filesize
682KB

MD5
fdd7f11c7522650208837ccddb359f72

SHA1
b0938e1567d95eaec53370d245d6f108ceaaf260

SHA256
a869f04c2ee91e5aac0528fad920de392bc78f494a980ac6682d7c3b442a04f7

SHA512
0317f97e314b1d3c2b6ac9ffac5e7649b48f440752296a55c81c2d34d758e049e37416ee8da8e42e22900899b8b4f021fae89efcc8623edfcea4f1d81429c31d

Download Submit
memory/1812-3-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/1812-4-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1812-5-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1812-6-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1812-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1812-8-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1812-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1812-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-1-0x0000000001250000-0x0000000001302000-memory.dmp

Filesize
712KB

Download
memory/1812-89-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1844-88-0x0000000000AF0000-0x0000000000BA2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads