dcrat | 94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd

General

Target

6f3b935175a44298f056598daefd8f4a.exe
Size

2.6MB
MD5

6f3b935175a44298f056598daefd8f4a
SHA1

df49fbdec3d0c697da73ca8d2925522114325e1f
SHA256

94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd
SHA512

ed1346f979b017ec6b04dc6bdb7645c06975c78a8ddcc2fb97b9447aae65eb102403b20279957336112d4c93e7163803086a9ce6d38370d24f9328c704059a2e
SSDEEP

49152:PbA3phxcymVOgnOPsopuCiTsAqKl4iLPuqaLiUDVgZ1jAMLhN:PbYcfVOZEqiTKKl42aLpgZ1jjj

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3656	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3656	schtasks.exe	94

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b83-20.dat	dcrat
behavioral2/memory/3376-22-0x0000000000040000-0x0000000000292000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Mscontainerprovider.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	6f3b935175a44298f056598daefd8f4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3376	Mscontainerprovider.exe
2684	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\f3b6ecef712a24	Mscontainerprovider.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe	Mscontainerprovider.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe	Mscontainerprovider.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\0a1fd5f707cd16	Mscontainerprovider.exe
File created	C:\Program Files\Windows Photo Viewer\spoolsv.exe	Mscontainerprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f3b935175a44298f056598daefd8f4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	6f3b935175a44298f056598daefd8f4a.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3196	schtasks.exe
920	schtasks.exe
1368	schtasks.exe
2472	schtasks.exe
4700	schtasks.exe
3888	schtasks.exe
2488	schtasks.exe
1488	schtasks.exe
1608	schtasks.exe
4664	schtasks.exe
4820	schtasks.exe
1720	schtasks.exe
404	schtasks.exe
1832	schtasks.exe
4092	schtasks.exe
4328	schtasks.exe
3092	schtasks.exe
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
3376	Mscontainerprovider.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe
2684	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	Mscontainerprovider.exe
Token: SeDebugPrivilege	2684	spoolsv.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1272	692	6f3b935175a44298f056598daefd8f4a.exe	82
PID 692 wrote to memory of 1272	692	6f3b935175a44298f056598daefd8f4a.exe	82
PID 692 wrote to memory of 1272	692	6f3b935175a44298f056598daefd8f4a.exe	82
PID 692 wrote to memory of 1612	692	6f3b935175a44298f056598daefd8f4a.exe	83
PID 692 wrote to memory of 1612	692	6f3b935175a44298f056598daefd8f4a.exe	83
PID 692 wrote to memory of 1612	692	6f3b935175a44298f056598daefd8f4a.exe	83
PID 692 wrote to memory of 1028	692	6f3b935175a44298f056598daefd8f4a.exe	84
PID 692 wrote to memory of 1028	692	6f3b935175a44298f056598daefd8f4a.exe	84
PID 692 wrote to memory of 1028	692	6f3b935175a44298f056598daefd8f4a.exe	84
PID 1028 wrote to memory of 4444	1028	cmd.exe	87
PID 1028 wrote to memory of 4444	1028	cmd.exe	87
PID 1028 wrote to memory of 4444	1028	cmd.exe	87
PID 1272 wrote to memory of 4508	1272	WScript.exe	88
PID 1272 wrote to memory of 4508	1272	WScript.exe	88
PID 1272 wrote to memory of 4508	1272	WScript.exe	88
PID 4508 wrote to memory of 3376	4508	cmd.exe	90
PID 4508 wrote to memory of 3376	4508	cmd.exe	90
PID 3376 wrote to memory of 2684	3376	Mscontainerprovider.exe	113
PID 3376 wrote to memory of 2684	3376	Mscontainerprovider.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f3b935175a44298f056598daefd8f4a.exe
"C:\Users\Admin\AppData\Local\Temp\6f3b935175a44298f056598daefd8f4a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercomwebsavesCommon\06TRX2vp5EEa5LRO2qIvamDAISMSY.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HypercomwebsavesCommon\qBJRRaMx8bIHubO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\HypercomwebsavesCommon\Mscontainerprovider.exe
      "C:\HypercomwebsavesCommon\Mscontainerprovider.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Program Files\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercomwebsavesCommon\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\HypercomwebsavesCommon\r2mekDnwHuGTXInEFmE.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\HypercomwebsavesCommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\HypercomwebsavesCommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\HypercomwebsavesCommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\HypercomwebsavesCommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\HypercomwebsavesCommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\HypercomwebsavesCommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercomwebsavesCommon\06TRX2vp5EEa5LRO2qIvamDAISMSY.vbe

Filesize
214B

MD5
f1d16665ffd0f6c105eb6959fe8191e8

SHA1
306ffa126b9323b3cf6eec31d266510898ddd6b4

SHA256
5fa7ef03d5257c7deb9ea12f21f4ff5886dbd667d44b28aaffcf9ff070e9da32

SHA512
6ce173fe645e5a05a4c02da4b7b67c612867f234e6e0a14f20ef016d5bc2e0b7dc33766dffd98fc62f1fe357a8797486b9dbd198375cf801d4ec2231745cbadf

Download Submit
C:\HypercomwebsavesCommon\Mscontainerprovider.exe

Filesize
2.3MB

MD5
d53b913a47de930d631538231afc9f89

SHA1
565818c582c9e8a1ae576111086379c569b5a557

SHA256
dfd113a21fa8c15314f5873a2657d6fc698d6e7678f09ffe0755d81e01f422fd

SHA512
b1b983139fbe41dcf17171cbb1978d8627347ee532d1b71e33330da4da57f1d096f8f807d3285256b158da73e2c5398d84f803c473196f4efde503d9a9bbbe87

Download Submit
C:\HypercomwebsavesCommon\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\HypercomwebsavesCommon\qBJRRaMx8bIHubO.bat

Filesize
51B

MD5
e6f650718077366b66c45793bf847aba

SHA1
053549a3540eb20fed7b618f899313ec8b36f7f9

SHA256
e75e8150eef010f32b581e9bb62b3ff17eda9302452252954ccf0822bfa38a1b

SHA512
99c82b2eec28d6c4c91e73c2bf8af1a6ee81234a5f57a5d53644b2bd2c6869f6b0a076bf45a4517f97a58f0974891c4fa5a69d5de09759efb256aa5fa2861814

Download Submit
C:\HypercomwebsavesCommon\r2mekDnwHuGTXInEFmE.bat

Filesize
12B

MD5
cde09bcdf5fde1e2eac52c0f93362b79

SHA1
7a0fd90576e08807bde2cc57bcf9854bbce05fe3

SHA256
7592a3326e8f8297547f8c170b96b8aa8f5234027fd76593841a6574f098759c

SHA512
0c3dc6a9d88ac98ee08a6aac028a1cf72e6d736227d36904a9daec84b30c2fccfd57a41daa4d73384bb91339482e98e226578eb0d87c958c2bfd2353181b680b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C8D3.tmp

Filesize
580B

MD5
bc8a671eb6ea3053728727ef5bbad819

SHA1
29f773fbfd0bf8b1add41b7fbc331e0442b5552a

SHA256
e6efe789db8812bf9030f40f3d69808338a9477e4979bac4c524d638da7c29e2

SHA512
094235b2f2015525a735fa960c87fd3d1b58280648ef28a8071feb430065971c82d81658e8e49fc0a1d85a69acee24c9d26c31f6196a70eaba0db3ba33ee579c

Download Submit
memory/2684-56-0x00000000012A0000-0x00000000012B2000-memory.dmp

Filesize
72KB

Download
memory/3376-25-0x000000001B400000-0x000000001B416000-memory.dmp

Filesize
88KB

Download
memory/3376-26-0x000000001B4A0000-0x000000001B4F6000-memory.dmp

Filesize
344KB

Download
memory/3376-24-0x000000001B450000-0x000000001B4A0000-memory.dmp

Filesize
320KB

Download
memory/3376-27-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/3376-30-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

Filesize
32KB

Download
memory/3376-29-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/3376-28-0x000000001BD20000-0x000000001C248000-memory.dmp

Filesize
5.2MB

Download
memory/3376-31-0x000000001B440000-0x000000001B448000-memory.dmp

Filesize
32KB

Download
memory/3376-23-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/3376-22-0x0000000000040000-0x0000000000292000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads