dcrat | 874a2c7f2a2f39efe570bde5a76a28199fc8a063281b75d6d59a5f1b044ccc84

General

Target

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Size

1.1MB
MD5

08e95dabb86201eeb98188769e4fcd62
SHA1

40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
SHA512

7d9b35d175f4a0c90a48c44930e7f8260e4a16821b4c778bc5fcb1d5a220d29d29520f7b1809918eb5e03dfd16a6dfcfac3fcbfd4cebabcdd38776c5508cf722
SSDEEP

24576:U2G/nvxW3Ww0tE9E3RrEdapg6gnUcKnbXq5Qck:UbA30E9ldapLpkQl

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1224	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1224	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cbd-10.dat	dcrat
behavioral2/memory/5104-13-0x00000000008F0000-0x00000000009C6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Runtimemonitor.exe

Executes dropped EXE 2 IoCs

pid	Process
5104	Runtimemonitor.exe
4512	csrss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\csrss.exe	Runtimemonitor.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\886983d96e3d3e	Runtimemonitor.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Vss\efd8e7f822cf10	Runtimemonitor.exe
File created	C:\Windows\PLA\Rules\en-US\TextInputHost.exe	Runtimemonitor.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\TextInputHost.exe	Runtimemonitor.exe
File created	C:\Windows\PLA\Rules\en-US\22eafd247d37c3	Runtimemonitor.exe
File created	C:\Windows\Vss\Runtimemonitor.exe	Runtimemonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Runtimemonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
456	schtasks.exe
3272	schtasks.exe
1956	schtasks.exe
3820	schtasks.exe
1588	schtasks.exe
2868	schtasks.exe
232	schtasks.exe
2796	schtasks.exe
5008	schtasks.exe
4368	schtasks.exe
4472	schtasks.exe
4768	schtasks.exe
4152	schtasks.exe
2948	schtasks.exe
4808	schtasks.exe
4832	schtasks.exe
3392	schtasks.exe
4816	schtasks.exe
396	schtasks.exe
4480	schtasks.exe
748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
5104	Runtimemonitor.exe
4512	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	Runtimemonitor.exe
Token: SeDebugPrivilege	4512	csrss.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2932	912	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 912 wrote to memory of 2932	912	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 912 wrote to memory of 2932	912	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 2932 wrote to memory of 4772	2932	WScript.exe	83
PID 2932 wrote to memory of 4772	2932	WScript.exe	83
PID 2932 wrote to memory of 4772	2932	WScript.exe	83
PID 4772 wrote to memory of 5104	4772	cmd.exe	85
PID 4772 wrote to memory of 5104	4772	cmd.exe	85
PID 5104 wrote to memory of 3960	5104	Runtimemonitor.exe	108
PID 5104 wrote to memory of 3960	5104	Runtimemonitor.exe	108
PID 3960 wrote to memory of 368	3960	cmd.exe	110
PID 3960 wrote to memory of 368	3960	cmd.exe	110
PID 3960 wrote to memory of 4512	3960	cmd.exe	115
PID 3960 wrote to memory of 4512	3960	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
"C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\PortcomAgentwinbroker\Runtimemonitor.exe
      "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zoSC2qJvsZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:368
      - C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Rules\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\PortcomAgentwinbroker\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\PortcomAgentwinbroker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimemonitorR" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Runtimemonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Runtimemonitor" /sc ONLOGON /tr "'C:\Windows\Vss\Runtimemonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimemonitorR" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Runtimemonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

Filesize
45B

MD5
045087efd61d5ab94d918bfd3946a335

SHA1
3aff3cfa40d70469614e4228d91a606c83ea7919

SHA256
e482a83af3f1dfc25dc04f86b454e21d1107cc9cf5cd18c172c3e3f3b9a3b022

SHA512
047d93b004fe7ee1448eb274ee640d104aac06c00d5ea2acdd56b78581d610e93a702e9098d33c985cae2758b3cc502331747fa0979a075aa5c39a30f7910d49

Download Submit
C:\PortcomAgentwinbroker\Runtimemonitor.exe

Filesize
828KB

MD5
2effcbfe83a6e643d620bd7221b8d4cc

SHA1
37ba35e898bc1135c3be15127d1baf95ea311029

SHA256
4618a1f497b813ef1f58a9a256bbd0f418c70ec7340ce9e0a51e343d21095b40

SHA512
0dcc2febdf5ad2c5f5bda5680bde51b23ea5d5ea38bdc6bc8dda0d2f0a0ae9c4a619b9a7aabd024da9c45f4df594766d400abd4df07ee30fc4a2869da77d6999

Download Submit
C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

Filesize
226B

MD5
965fe1cee13f15bd288f9f8d603a2769

SHA1
18ca01b1ee9a9b524ca5aaa1b750c38a1303f7c1

SHA256
b6ff2be9587c1e05b35823470a835d0dea7850ff2ed98e57722489db44033a8b

SHA512
364a403217a76567c96632741c3f0473a09af1185acff65926aafee1655df5d9f6161f2799d57f6d432e7f87a0ac592cd6ad7f6424c89eac12f793b27d4e9d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoSC2qJvsZ.bat

Filesize
218B

MD5
8b46c248616c7f3ab5ed54815c12ab04

SHA1
a8ad199ee6c2b61254aaf0358ef24192b9bdd9e0

SHA256
8c6fb3df5b2ce43ca2e8f220a6084efb8e3186a5642ba57218489e3f51a79a27

SHA512
669878669d5d22d8683922dea0216ee54af886c92fb588c32c934030b46a21ca8ded31ec2a0e04495c13850cafe3f2387a17d2e5efda51816b4a9444cc0ffb75

Download Submit
memory/5104-12-0x00007FF821E73000-0x00007FF821E75000-memory.dmp

Filesize
8KB

Download
memory/5104-13-0x00000000008F0000-0x00000000009C6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads