dcrat | 6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81

General

Target

6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe
Size

1.3MB
MD5

57edc180e22c8127977a1f9852b06fa8
SHA1

6dbe69ff678326a797c0325e34002bd19f179875
SHA256

6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81
SHA512

86d601dda7f95e8c0cd25e9d34b68cbe5a823293f7a413fe4c15865f312c4a63a949da3442b31974a7031e68cd7a7552ec1d35b6ce9995470634de5b691b4927
SSDEEP

24576:f2G/nvxW3WcsbisnSOKkipM/zQkRRgoynn+aof:fbA3gbisnSdaQkLunXW

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2884	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2884	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-9.dat	dcrat
behavioral1/memory/2712-13-0x0000000000090000-0x0000000000166000-memory.dmp	dcrat
behavioral1/memory/1292-27-0x0000000000890000-0x0000000000966000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2712	BrowserDriverhost.exe
1292	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	cmd.exe
2296	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\it-IT\lsass.exe	BrowserDriverhost.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\lsass.exe	BrowserDriverhost.exe
File created	C:\Program Files\Windows Defender\it-IT\6203df4a6bafc7	BrowserDriverhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\fr-FR\wininit.exe	BrowserDriverhost.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\56085415360792	BrowserDriverhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1032	schtasks.exe
2648	schtasks.exe
2284	schtasks.exe
2164	schtasks.exe
2848	schtasks.exe
2988	schtasks.exe
2596	schtasks.exe
2684	schtasks.exe
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	BrowserDriverhost.exe
1292	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	BrowserDriverhost.exe
Token: SeDebugPrivilege	1292	wininit.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2492	764	6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe	31
PID 764 wrote to memory of 2492	764	6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe	31
PID 764 wrote to memory of 2492	764	6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe	31
PID 764 wrote to memory of 2492	764	6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe	31
PID 2492 wrote to memory of 2296	2492	WScript.exe	32
PID 2492 wrote to memory of 2296	2492	WScript.exe	32
PID 2492 wrote to memory of 2296	2492	WScript.exe	32
PID 2492 wrote to memory of 2296	2492	WScript.exe	32
PID 2296 wrote to memory of 2712	2296	cmd.exe	34
PID 2296 wrote to memory of 2712	2296	cmd.exe	34
PID 2296 wrote to memory of 2712	2296	cmd.exe	34
PID 2296 wrote to memory of 2712	2296	cmd.exe	34
PID 2712 wrote to memory of 2880	2712	BrowserDriverhost.exe	45
PID 2712 wrote to memory of 2880	2712	BrowserDriverhost.exe	45
PID 2712 wrote to memory of 2880	2712	BrowserDriverhost.exe	45
PID 2880 wrote to memory of 2540	2880	cmd.exe	47
PID 2880 wrote to memory of 2540	2880	cmd.exe	47
PID 2880 wrote to memory of 2540	2880	cmd.exe	47
PID 2880 wrote to memory of 1292	2880	cmd.exe	48
PID 2880 wrote to memory of 1292	2880	cmd.exe	48
PID 2880 wrote to memory of 1292	2880	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe
"C:\Users\Admin\AppData\Local\Temp\6c5d017dcc6921a2b008373dca156d6ee454ed875b361c89d2cb724d20929c81.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\browserwin\1M8n6JqHEpCu8wBY0Dn.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\browserwin\lnyZxHCaoRye6VN1OrZ3.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\browserwin\BrowserDriverhost.exe
      "C:\browserwin\BrowserDriverhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r2XKqKAXvE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2540
      - C:\Windows\PolicyDefinitions\fr-FR\wininit.exe
        
        "C:\Windows\PolicyDefinitions\fr-FR\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r2XKqKAXvE.bat

Filesize
211B

MD5
a22dd50520b4537efe4e8b8e82f7c39b

SHA1
4d723e22739ab431363cbf752bb0447bc752e187

SHA256
ce9bd0c06a0716e6eecabc61249a2da2e8d2bad447c902fee38cb95469f3fe26

SHA512
835daad9ef6214c3ca3968d046eae37b1ccb771cd93cef0fc8b89d5ae75eb61a4df0d85a3499e1bad1aabd9efe622169dde0131c387d10e889ef8e066edd99d9

Download Submit
C:\browserwin\1M8n6JqHEpCu8wBY0Dn.vbe

Filesize
207B

MD5
5c8eb09669c3bc4744ece0ae9a10453c

SHA1
7f41f79ce5a3d322f9dc4426bf34fa58a8f9bc08

SHA256
c548b0b03b9d9159335916098db828b1c82420571e918d883d4f8904db877564

SHA512
a1b1b58a0e00c7d223edafaa25950fbb587d5b9f61b6f06d65c9126a034899f5a8771cfac908780e27362a2f94df6ea03bdefa980277ebaeeb6f1068af796cbb

Download Submit
C:\browserwin\lnyZxHCaoRye6VN1OrZ3.bat

Filesize
37B

MD5
1f70a1ce78f7742619908bafeb60a05f

SHA1
b822141d7c290c031757883acc27e3a433600143

SHA256
616667a3fe469a8bcaa92f12bf3662300d4b1c9d8239ba8b09ec44f9f07e043e

SHA512
2897646e9ab7cebba123f6acc04aeb08a90dc2fc776e653f28813f0c76dec520b0867be4de3a38422b0b9cf050e5e16c6e7a9fa5dd2a55b5c201b6bdf1612e63

Download Submit
\browserwin\BrowserDriverhost.exe

Filesize
829KB

MD5
b30bdcf56ff0eb39c006216334de1ab2

SHA1
25e1fa26680ae4934554df88072f8f83b237cbcf

SHA256
4b1ae8b4b8685dac8c68c14d5c7da433fb53fa1949621692960f7f662609d7f6

SHA512
233e20a303dc492024eea806c1669f11602b7a3425a36c47328091ae57ecbc3f7be29fcea4de4849ff498b7d1d396f20768b57bb3e99b141d7687dd8690a2216

Download Submit
memory/1292-27-0x0000000000890000-0x0000000000966000-memory.dmp

Filesize
856KB

Download
memory/2712-13-0x0000000000090000-0x0000000000166000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads