dcrat | 6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81

General

Target

57edc180e22c8127977a1f9852b06fa8.exe
Size

1.3MB
MD5

57edc180e22c8127977a1f9852b06fa8
SHA1

6dbe69ff678326a797c0325e34002bd19f179875
SHA256

6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81
SHA512

86d601dda7f95e8c0cd25e9d34b68cbe5a823293f7a413fe4c15865f312c4a63a949da3442b31974a7031e68cd7a7552ec1d35b6ce9995470634de5b691b4927
SSDEEP

24576:f2G/nvxW3WcsbisnSOKkipM/zQkRRgoynn+aof:fbA3gbisnSdaQkLunXW

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3716	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cae-10.dat	dcrat
behavioral2/memory/4748-13-0x0000000000EE0000-0x0000000000FB6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	57edc180e22c8127977a1f9852b06fa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BrowserDriverhost.exe

Executes dropped EXE 2 IoCs

pid	Process
4748	BrowserDriverhost.exe
3904	WaaSMedicAgent.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\22eafd247d37c3	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	BrowserDriverhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\c82b8037eab33d	BrowserDriverhost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe	BrowserDriverhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\Deployment\SearchApp.exe	BrowserDriverhost.exe
File created	C:\Windows\Sun\Java\Deployment\38384e6a620884	BrowserDriverhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57edc180e22c8127977a1f9852b06fa8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	57edc180e22c8127977a1f9852b06fa8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5052	schtasks.exe
2304	schtasks.exe
3444	schtasks.exe
4460	schtasks.exe
2172	schtasks.exe
2404	schtasks.exe
4248	schtasks.exe
1460	schtasks.exe
844	schtasks.exe
396	schtasks.exe
4400	schtasks.exe
4244	schtasks.exe
688	schtasks.exe
4600	schtasks.exe
4840	schtasks.exe
2280	schtasks.exe
3312	schtasks.exe
3912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4748	BrowserDriverhost.exe
4748	BrowserDriverhost.exe
4748	BrowserDriverhost.exe
3904	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	BrowserDriverhost.exe
Token: SeDebugPrivilege	3904	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1356	2676	57edc180e22c8127977a1f9852b06fa8.exe	83
PID 2676 wrote to memory of 1356	2676	57edc180e22c8127977a1f9852b06fa8.exe	83
PID 2676 wrote to memory of 1356	2676	57edc180e22c8127977a1f9852b06fa8.exe	83
PID 1356 wrote to memory of 3884	1356	WScript.exe	90
PID 1356 wrote to memory of 3884	1356	WScript.exe	90
PID 1356 wrote to memory of 3884	1356	WScript.exe	90
PID 3884 wrote to memory of 4748	3884	cmd.exe	92
PID 3884 wrote to memory of 4748	3884	cmd.exe	92
PID 4748 wrote to memory of 3904	4748	BrowserDriverhost.exe	111
PID 4748 wrote to memory of 3904	4748	BrowserDriverhost.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57edc180e22c8127977a1f9852b06fa8.exe
"C:\Users\Admin\AppData\Local\Temp\57edc180e22c8127977a1f9852b06fa8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\browserwin\1M8n6JqHEpCu8wBY0Dn.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\browserwin\lnyZxHCaoRye6VN1OrZ3.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\browserwin\BrowserDriverhost.exe
      "C:\browserwin\BrowserDriverhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\browserwin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\browserwin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\browserwin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\Deployment\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\browserwin\1M8n6JqHEpCu8wBY0Dn.vbe

Filesize
207B

MD5
5c8eb09669c3bc4744ece0ae9a10453c

SHA1
7f41f79ce5a3d322f9dc4426bf34fa58a8f9bc08

SHA256
c548b0b03b9d9159335916098db828b1c82420571e918d883d4f8904db877564

SHA512
a1b1b58a0e00c7d223edafaa25950fbb587d5b9f61b6f06d65c9126a034899f5a8771cfac908780e27362a2f94df6ea03bdefa980277ebaeeb6f1068af796cbb

Download Submit
C:\browserwin\BrowserDriverhost.exe

Filesize
829KB

MD5
b30bdcf56ff0eb39c006216334de1ab2

SHA1
25e1fa26680ae4934554df88072f8f83b237cbcf

SHA256
4b1ae8b4b8685dac8c68c14d5c7da433fb53fa1949621692960f7f662609d7f6

SHA512
233e20a303dc492024eea806c1669f11602b7a3425a36c47328091ae57ecbc3f7be29fcea4de4849ff498b7d1d396f20768b57bb3e99b141d7687dd8690a2216

Download Submit
C:\browserwin\lnyZxHCaoRye6VN1OrZ3.bat

Filesize
37B

MD5
1f70a1ce78f7742619908bafeb60a05f

SHA1
b822141d7c290c031757883acc27e3a433600143

SHA256
616667a3fe469a8bcaa92f12bf3662300d4b1c9d8239ba8b09ec44f9f07e043e

SHA512
2897646e9ab7cebba123f6acc04aeb08a90dc2fc776e653f28813f0c76dec520b0867be4de3a38422b0b9cf050e5e16c6e7a9fa5dd2a55b5c201b6bdf1612e63

Download Submit
memory/4748-12-0x00007FFAAB723000-0x00007FFAAB725000-memory.dmp

Filesize
8KB

Download
memory/4748-13-0x0000000000EE0000-0x0000000000FB6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads