dcrat | 0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d

General

Target

0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Size

1.2MB
MD5

3e486391221891462495325b3bbf8b13
SHA1

c65d92a465ec8967a7fba171ac6e62f3aaae2ff0
SHA256

0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d
SHA512

066ebb9cdfe3b45f893ec031237319d49a1d323e1f928a2ffde324e718adef84bb6c397f2cc12814a069ea71106b44996abf538ac2b8bd7e456cfc3ec76138ff
SSDEEP

24576:Zrtb29jyTS6MoaS0BPXM3l9HDesNM1w3HzjM4LjvTCdPILP+4h:jb29j5jf/GB6eZLGo

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	1368	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1368	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1368	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/60-1-0x00000000004B0000-0x00000000005E4000-memory.dmp	dcrat
behavioral2/files/0x000a000000023bbe-19.dat	dcrat
behavioral2/files/0x000c000000023b96-28.dat	dcrat
behavioral2/files/0x000300000001e747-51.dat	dcrat
behavioral2/files/0x000a000000023b9d-63.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Executes dropped EXE 1 IoCs

pid	Process
3208	System.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Portable Devices\\backgroundTaskHost.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\SgrmEnclave_secure\\dllhost.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\SgrmEnclave_secure\dllhost.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\System32\SgrmEnclave_secure\5940a34987c99120d96dace90a3f93f329dcad63	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\System32\SgrmEnclave_secure\RCXA5DB.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\System32\SgrmEnclave_secure\RCXA649.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\System32\SgrmEnclave_secure\dllhost.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Program Files\Windows Portable Devices\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA162.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA1D1.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
3292	schtasks.exe
4016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
3208	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Token: SeDebugPrivilege	3208	System.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2328	60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe	88
PID 60 wrote to memory of 2328	60	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe	88
PID 2328 wrote to memory of 4948	2328	cmd.exe	90
PID 2328 wrote to memory of 4948	2328	cmd.exe	90
PID 2328 wrote to memory of 3208	2328	cmd.exe	92
PID 2328 wrote to memory of 3208	2328	cmd.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
"C:\Users\Admin\AppData\Local\Temp\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zqfZNrGfez.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4948
- - C:\Recovery\WindowsRE\System.exe
    "C:\Recovery\WindowsRE\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\SgrmEnclave_secure\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe

Filesize
1.2MB

MD5
0d08554278a23f3477b0fdf6ad18b425

SHA1
e8601b316a356887d1c0341cdd98bf66cf517d5f

SHA256
9d0adfd825dae497b2cd9878267c7d61c2159766f3d43344bc315b78f82e3891

SHA512
e245683395a3dcb2372dca831f4ae438ff152f220ce3a3cb137e9c77f190419fe2e4db12cf1de5de8dbb7183831a5f4bcaef7c0a755b644b245df8d26f02e7a1

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
1.2MB

MD5
3e486391221891462495325b3bbf8b13

SHA1
c65d92a465ec8967a7fba171ac6e62f3aaae2ff0

SHA256
0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d

SHA512
066ebb9cdfe3b45f893ec031237319d49a1d323e1f928a2ffde324e718adef84bb6c397f2cc12814a069ea71106b44996abf538ac2b8bd7e456cfc3ec76138ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX9F5E.tmp

Filesize
1.2MB

MD5
77760d25680549a6e33d813225f15ae0

SHA1
3ba98784170c929615f2a606c1865bbcca860140

SHA256
cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2

SHA512
6e758c1402852a2ee6c669208b491160eefb086c1b5bc52b698d9292ad933e8e71a66413e367b6f6c36f1df841e145b8ee5f06035deceba678a481279ebbcbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqfZNrGfez.bat

Filesize
196B

MD5
8bbb422c99fa4a6b8ce40c7f1f8394c0

SHA1
58adfcee84bd1c3701a96a8b74d989417be4722e

SHA256
04b977b567073943473b71d9bd5bb87441451201f87f5d5bf3c838bb92bbf6f8

SHA512
6bd9e1031a1bae07fce995686a702a1e7c71ad5702df69685ba98dc2441df9876a9a8afdd1d24d5d4cd1c05ebbc4d75ffa2aaab536a63da78b885da0d92df9ae

Download Submit
C:\Windows\System32\SgrmEnclave_secure\dllhost.exe

Filesize
1.2MB

MD5
3b8f14d7684d0d85381d77aa46d38f0d

SHA1
4f5b58fc41d9e2e6198e47ae4573feee3f1d0319

SHA256
a30e349a4cf65e738c78cb28924297e992bcd9aa43cb0fb955b9a8d4374afcab

SHA512
5f8470357afa7abe326358c426b629d83ed5d12d4eb09dc53e8c9a424e539064fe059c4e2e23b8a5fa282a82342e9277ddaa25a48827a46fcbd62a6a0ba75686

Download Submit
memory/60-3-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/60-6-0x0000000002790000-0x000000000279A000-memory.dmp

Filesize
40KB

Download
memory/60-7-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/60-8-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

Filesize
48KB

Download
memory/60-4-0x0000000002760000-0x000000000276C000-memory.dmp

Filesize
48KB

Download
memory/60-5-0x0000000002780000-0x000000000278C000-memory.dmp

Filesize
48KB

Download
memory/60-0-0x00007FF998063000-0x00007FF998065000-memory.dmp

Filesize
8KB

Download
memory/60-2-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/60-61-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/60-1-0x00000000004B0000-0x00000000005E4000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads