dcrat | 6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81

General

Target

6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Size

783KB
MD5

68a6f449fc698f0c11fd6903c53a81e0
SHA1

6289583e40388b16fd4bf56040e3f1f7e02a2f38
SHA256

6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81
SHA512

4339a056da6d70cbe9dbe96232c1f264bdc5542e94e9f37a286391e9725aa40a1c75ec2c2787dc94e7012845324aed5facc14585e3c25238c46d3faba0db66cb
SSDEEP

12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2596	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2596	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2596	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2596	schtasks.exe	31

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2656-1-0x00000000001F0000-0x00000000002BA000-memory.dmp	dcrat
behavioral1/files/0x0008000000016d9a-35.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1236	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twain_32\\explorer.exe\""	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\fveapi\\winlogon.exe\""	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DFDWiz\\lsass.exe\""	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\wmpnetwk\\WMIADAP.exe\""	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DFDWiz\lsass.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\System32\DFDWiz\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\System32\wbem\wmpnetwk\WMIADAP.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\System32\wbem\wmpnetwk\75a57c1bdf437c0c81ad56e81f43c7323ed35745	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\wbem\wmpnetwk\RCXF144.tmp	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\wbem\wmpnetwk\WMIADAP.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\DFDWiz\lsass.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\System32\fveapi\winlogon.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\System32\fveapi\cc11b995f2a76da408ea6a601e682e64743153ad	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\DFDWiz\RCXEF40.tmp	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\fveapi\RCXF54B.tmp	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\System32\fveapi\winlogon.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\twain_32\RCXF347.tmp	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File opened for modification	C:\Windows\twain_32\explorer.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
File created	C:\Windows\twain_32\explorer.exe	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
1864	schtasks.exe
2972	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Token: SeDebugPrivilege	1236	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1236	2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe	36
PID 2656 wrote to memory of 1236	2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe	36
PID 2656 wrote to memory of 1236	2656	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe	36

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
"C:\Users\Admin\AppData\Local\Temp\6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
- C:\Users\Admin\AppData\Local\Temp\6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe
  "C:\Users\Admin\AppData\Local\Temp\6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81N.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\DFDWiz\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmpnetwk\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\fveapi\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DFDWiz\lsass.exe

Filesize
783KB

MD5
68a6f449fc698f0c11fd6903c53a81e0

SHA1
6289583e40388b16fd4bf56040e3f1f7e02a2f38

SHA256
6ac524fe6c26a64e6d05410faed8a85e6b59d30be07c41a9ec05d7ea03acac81

SHA512
4339a056da6d70cbe9dbe96232c1f264bdc5542e94e9f37a286391e9725aa40a1c75ec2c2787dc94e7012845324aed5facc14585e3c25238c46d3faba0db66cb

Download Submit
memory/2656-17-0x000000001AB30000-0x000000001AB38000-memory.dmp

Filesize
32KB

Download
memory/2656-66-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-13-0x000000001A620000-0x000000001A628000-memory.dmp

Filesize
32KB

Download
memory/2656-5-0x0000000002000000-0x0000000002010000-memory.dmp

Filesize
64KB

Download
memory/2656-4-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2656-6-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2656-7-0x000000001AA30000-0x000000001AA3C000-memory.dmp

Filesize
48KB

Download
memory/2656-8-0x000000001AA10000-0x000000001AA1A000-memory.dmp

Filesize
40KB

Download
memory/2656-9-0x000000001A610000-0x000000001A61A000-memory.dmp

Filesize
40KB

Download
memory/2656-10-0x000000001AA20000-0x000000001AA28000-memory.dmp

Filesize
32KB

Download
memory/2656-11-0x000000001AAF0000-0x000000001AAF8000-memory.dmp

Filesize
32KB

Download
memory/2656-12-0x000000001A600000-0x000000001A608000-memory.dmp

Filesize
32KB

Download
memory/2656-3-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2656-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-22-0x000000001AB40000-0x000000001AB48000-memory.dmp

Filesize
32KB

Download
memory/2656-15-0x000000001AB10000-0x000000001AB18000-memory.dmp

Filesize
32KB

Download
memory/2656-14-0x000000001AA40000-0x000000001AA48000-memory.dmp

Filesize
32KB

Download
memory/2656-18-0x000000001A630000-0x000000001A638000-memory.dmp

Filesize
32KB

Download
memory/2656-20-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

Filesize
32KB

Download
memory/2656-19-0x000000001AAD0000-0x000000001AAD8000-memory.dmp

Filesize
32KB

Download
memory/2656-21-0x000000001AB00000-0x000000001AB0C000-memory.dmp

Filesize
48KB

Download
memory/2656-16-0x000000001AB20000-0x000000001AB28000-memory.dmp

Filesize
32KB

Download
memory/2656-25-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-1-0x00000000001F0000-0x00000000002BA000-memory.dmp

Filesize
808KB

Download
memory/2656-41-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-56-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads