dcrat | fe96ae8bd988e21b4bb52513ca43192b9adbc73c622cb6abc9a3145ec7823040

General

Target

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Size

2.7MB
MD5

4d9be74be06728c10b25ef019f7ff0b3
SHA1

10c41cfa6c5dbec839759e9fd6971e57311ea76a
SHA256

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
SHA512

5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f
SSDEEP

49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2200	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2200	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4308-1-0x0000000000A70000-0x0000000000D24000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c9d-32.dat	dcrat
behavioral2/files/0x0009000000023c9d-41.dat	dcrat
behavioral2/files/0x0008000000023c9f-64.dat	dcrat
behavioral2/memory/700-128-0x0000000000920000-0x0000000000BD4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Executes dropped EXE 1 IoCs

pid	Process
700	fontdrvhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8A44.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8AC2.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\Idle.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\bcastdvr\6ccacd8608530f	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\RCX882F.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\RCX8830.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\bcastdvr\Idle.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1456	schtasks.exe
4020	schtasks.exe
3740	schtasks.exe
3124	schtasks.exe
2160	schtasks.exe
4648	schtasks.exe
2536	schtasks.exe
2040	schtasks.exe
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe
700	fontdrvhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
700	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Token: SeDebugPrivilege	700	fontdrvhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 700	4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	94
PID 4308 wrote to memory of 700	4308	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	94

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
"C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4308
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\bcastdvr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe

Filesize
2.7MB

MD5
dc8d746887085e6e059afb651edd6266

SHA1
5ec0ed934a01c6435d8f5f3ab838a9f737e1510c

SHA256
3aac1959141dff92e75d173e6e5f408410753b849dcfe14db7683414c5cd465c

SHA512
4a1b06ef11c2cead80f6e7f498fdd1bd3e8c7704adb323a29d4fb1efccde441ec19c013897faa65c0a6e502f239199fc6b16d2201793bac5a24fd43d0d136d68

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
2.7MB

MD5
ea9c6cd986e032416cd98f16b37ffea0

SHA1
9c05fb037928f6bb8f7e6105c0f30b893187966e

SHA256
953416d06273d68011886308e89a24d92093bfc0c8ba715899b5965a252ffb93

SHA512
0a725c44b757944542e418e119e94ae2c99fcd9ecf87faa007ee483fd9d77529146a198a1d7d74c329de466319877013e56a6dbeb58d5bcb489cc394b4d93603

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX8379.tmp

Filesize
2.7MB

MD5
4d9be74be06728c10b25ef019f7ff0b3

SHA1
10c41cfa6c5dbec839759e9fd6971e57311ea76a

SHA256
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

SHA512
5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

Download Submit
memory/700-130-0x000000001C0F0000-0x000000001C1F2000-memory.dmp

Filesize
1.0MB

Download
memory/700-129-0x000000001BF20000-0x000000001BF32000-memory.dmp

Filesize
72KB

Download
memory/700-128-0x0000000000920000-0x0000000000BD4000-memory.dmp

Filesize
2.7MB

Download
memory/4308-14-0x000000001C650000-0x000000001CB78000-memory.dmp

Filesize
5.2MB

Download
memory/4308-18-0x000000001B9D0000-0x000000001B9DE000-memory.dmp

Filesize
56KB

Download
memory/4308-8-0x000000001B870000-0x000000001B886000-memory.dmp

Filesize
88KB

Download
memory/4308-9-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/4308-10-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/4308-11-0x000000001B940000-0x000000001B996000-memory.dmp

Filesize
344KB

Download
memory/4308-12-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/4308-13-0x000000001B900000-0x000000001B912000-memory.dmp

Filesize
72KB

Download
memory/4308-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

Filesize
8KB

Download
memory/4308-17-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

Filesize
48KB

Download
memory/4308-19-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/4308-7-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/4308-16-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/4308-15-0x000000001B920000-0x000000001B928000-memory.dmp

Filesize
32KB

Download
memory/4308-20-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

Filesize
40KB

Download
memory/4308-21-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/4308-6-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download
memory/4308-5-0x000000001B8A0000-0x000000001B8F0000-memory.dmp

Filesize
320KB

Download
memory/4308-4-0x0000000002E50000-0x0000000002E6C000-memory.dmp

Filesize
112KB

Download
memory/4308-127-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4308-3-0x0000000002E40000-0x0000000002E4E000-memory.dmp

Filesize
56KB

Download
memory/4308-2-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4308-1-0x0000000000A70000-0x0000000000D24000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads