dcrat | 7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb

General

Target

7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Size

783KB
MD5

a01ba8b94da113abb830119dad3cfc17
SHA1

4ccd1d3ce62f864071afdc842f9f9e4b2a4ee0a7
SHA256

7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb
SHA512

35a7f30941ead4d6de05bf59193624c287ab97dc24607fb229621bbc0a3aac4102ef94dac84c2b3a088276001430c14d925e085ca788657fb81967ed7b67fe3d
SSDEEP

12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK4:G+OQbpbgsFdAyQvzSqaq8qB

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2000-1-0x0000000000CF0000-0x0000000000DBA000-memory.dmp	dcrat
behavioral2/files/0x000a000000023ba6-33.dat	dcrat
behavioral2/files/0x0011000000011960-67.dat	dcrat
behavioral2/files/0x000b000000023ba6-85.dat	dcrat
behavioral2/files/0x000c000000023b94-96.dat	dcrat
behavioral2/memory/720-98-0x00000000002D0000-0x000000000039A000-memory.dmp	dcrat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RINTL.ar-sa\\OfficeClickToRun.exe\""	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\qcap\\dwm.exe\""	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\CIRCoInst\\dllhost.exe\""	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\lsasetup\\explorer.exe\""	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\qcap\6cb0b6c459d5d3455a3da700e713f2e2529862ff	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\System32\CIRCoInst\dllhost.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\System32\CIRCoInst\5940a34987c99120d96dace90a3f93f329dcad63	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\System32\rtmmvrortc\RuntimeBroker.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\System32\rtmmvrortc\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\System32\qcap\dwm.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa\OfficeClickToRun.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa\OfficeClickToRun.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa\e6c9b481da804f07baff8eff543b0a1441069b5d	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lsasetup\explorer.exe	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
File created	C:\Windows\lsasetup\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
3796	schtasks.exe
1084	schtasks.exe
3152	schtasks.exe
2036	schtasks.exe
4004	schtasks.exe
3516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2000	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
2000	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
2000	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
2000	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe
"C:\Users\Admin\AppData\Local\Temp\7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hsxZ7AtwBz.bat"
  2⤵
  PID:4116
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1640
- - C:\Windows\System32\qcap\dwm.exe
    "C:\Windows\System32\qcap\dwm.exe"
    3⤵
    PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\qcap\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\CIRCoInst\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\lsasetup\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\rtmmvrortc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\internetmail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hsxZ7AtwBz.bat

Filesize
196B

MD5
907cf7df10b04f3f61d4e96939f8f116

SHA1
3e124bb54165f8c21b069f18e1b025b1d024ef21

SHA256
42185fbd4e13f1c0b78199459838296c0b31a753e447e63ce84587b6e145de0a

SHA512
1e29b8e96f07e866cca4bacd57084669ac1126dcbedfb2026aafa388aaffe87dbff1e84259bb82065b70454838e2f167069df63ba433e01c5e570fb566cb88b9

Download Submit
C:\Windows\System32\qcap\dwm.exe

Filesize
783KB

MD5
4383aeb7a3482e7a8dd5e6bb8a0dd9ff

SHA1
eea3bd83c71cf729764ff0f6eee751f761c4c79d

SHA256
53dd03c36c1a8635163bc915b37c2e4b9fa67e1e877fcf38fe268deff0e24faa

SHA512
1727d1cf9457b751eebbee0ecab126410e136673c4e0dbe85819a3daeefec9bf5e05b215960a4d58dadca692f5ae5a34078149a03ce213037026e99dece981c8

Download Submit
C:\Windows\System32\rtmmvrortc\RuntimeBroker.exe

Filesize
783KB

MD5
a01ba8b94da113abb830119dad3cfc17

SHA1
4ccd1d3ce62f864071afdc842f9f9e4b2a4ee0a7

SHA256
7bdc4a94cc023cd96272ecd3d7294d01b121fce48c0a80725368c95df1a14dcb

SHA512
35a7f30941ead4d6de05bf59193624c287ab97dc24607fb229621bbc0a3aac4102ef94dac84c2b3a088276001430c14d925e085ca788657fb81967ed7b67fe3d

Download Submit
C:\Windows\lsasetup\explorer.exe

Filesize
783KB

MD5
6cb8d50e4dd746731d97972e8772e0d0

SHA1
d38429f683fb540c044e51e1a11a7d16cc16434f

SHA256
ee7d5e44c38ccd50a44612e4642bf6ea9b537f28aa71983756d3af28475006c8

SHA512
351da69f81a4f346f430a2832c5c18658627beaa72d16d33b4f3867161526d3049310071d85c8e3011d373ce0c9422aff7791a44a7a767ff14a50dcb3c5e5f37

Download Submit
C:\Windows\twain_32\RCX9AEF.tmp

Filesize
783KB

MD5
efd24089c825c314364efac40a5ba632

SHA1
df9acc3f255d6072bc01a01e1dd71153194c98a7

SHA256
d54addb370e232830efe1d8b4467ffc99fc736719e0f924440a1036b3cd81bfb

SHA512
501f38af58f6c9a57ebf267aaad6143f2b77309ed74576fc9739af7bbb8610869a27fa417dfcf364d21d3a92d47ae41ba0e1d04106774db093305d134362584e

Download Submit
memory/720-98-0x00000000002D0000-0x000000000039A000-memory.dmp

Filesize
808KB

Download
memory/2000-13-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/2000-10-0x0000000002F80000-0x0000000002F88000-memory.dmp

Filesize
32KB

Download
memory/2000-21-0x0000000003160000-0x000000000316C000-memory.dmp

Filesize
48KB

Download
memory/2000-42-0x00007FFF15560000-0x00007FFF16021000-memory.dmp

Filesize
10.8MB

Download
memory/2000-19-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/2000-18-0x0000000003140000-0x0000000003148000-memory.dmp

Filesize
32KB

Download
memory/2000-17-0x0000000003130000-0x0000000003138000-memory.dmp

Filesize
32KB

Download
memory/2000-16-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/2000-15-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/2000-14-0x0000000002F90000-0x0000000002F98000-memory.dmp

Filesize
32KB

Download
memory/2000-0-0x00007FFF15563000-0x00007FFF15565000-memory.dmp

Filesize
8KB

Download
memory/2000-12-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/2000-11-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/2000-26-0x00007FFF15560000-0x00007FFF16021000-memory.dmp

Filesize
10.8MB

Download
memory/2000-9-0x0000000002F70000-0x0000000002F7A000-memory.dmp

Filesize
40KB

Download
memory/2000-8-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/2000-6-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/2000-5-0x0000000001570000-0x0000000001580000-memory.dmp

Filesize
64KB

Download
memory/2000-4-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/2000-3-0x0000000001560000-0x0000000001568000-memory.dmp

Filesize
32KB

Download
memory/2000-2-0x00007FFF15560000-0x00007FFF16021000-memory.dmp

Filesize
10.8MB

Download
memory/2000-25-0x00007FFF15560000-0x00007FFF16021000-memory.dmp

Filesize
10.8MB

Download
memory/2000-22-0x00000000031B0000-0x00000000031B8000-memory.dmp

Filesize
32KB

Download
memory/2000-20-0x0000000003150000-0x0000000003158000-memory.dmp

Filesize
32KB

Download
memory/2000-94-0x00007FFF15560000-0x00007FFF16021000-memory.dmp

Filesize
10.8MB

Download
memory/2000-7-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/2000-1-0x0000000000CF0000-0x0000000000DBA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads