dcrat | eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162

General

Target

39080b718b5fd386e181eae293d3dd8e.exe
Size

829KB
MD5

39080b718b5fd386e181eae293d3dd8e
SHA1

d08ff7cf2dd523b14453fc3a2403fc08adc8185e
SHA256

eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162
SHA512

11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff
SSDEEP

12288:KowrLE6IKSq9aZxoHH6+LsHmRWR1httY5B2ycgPATuUc4wGOx:KoevIKSq9aZ46+LR2YeyPPUy4tOx

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2396	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2396	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4876-1-0x0000000000700000-0x00000000007D6000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b69-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	39080b718b5fd386e181eae293d3dd8e.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	OfficeClickToRun.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\sihost.exe	39080b718b5fd386e181eae293d3dd8e.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Program Files\Windows Portable Devices\eddb19405b7ce1	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	39080b718b5fd386e181eae293d3dd8e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	39080b718b5fd386e181eae293d3dd8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	39080b718b5fd386e181eae293d3dd8e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3864	schtasks.exe
744	schtasks.exe
3508	schtasks.exe
2632	schtasks.exe
4536	schtasks.exe
1712	schtasks.exe
3676	schtasks.exe
4760	schtasks.exe
2608	schtasks.exe
4088	schtasks.exe
4080	schtasks.exe
4728	schtasks.exe
2320	schtasks.exe
4364	schtasks.exe
3652	schtasks.exe
2932	schtasks.exe
2444	schtasks.exe
2736	schtasks.exe
1772	schtasks.exe
1540	schtasks.exe
4428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4876	39080b718b5fd386e181eae293d3dd8e.exe
4876	39080b718b5fd386e181eae293d3dd8e.exe
4876	39080b718b5fd386e181eae293d3dd8e.exe
4360	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	39080b718b5fd386e181eae293d3dd8e.exe
Token: SeDebugPrivilege	4360	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 5060	4876	39080b718b5fd386e181eae293d3dd8e.exe	105
PID 4876 wrote to memory of 5060	4876	39080b718b5fd386e181eae293d3dd8e.exe	105
PID 5060 wrote to memory of 2296	5060	cmd.exe	107
PID 5060 wrote to memory of 2296	5060	cmd.exe	107
PID 5060 wrote to memory of 4360	5060	cmd.exe	109
PID 5060 wrote to memory of 4360	5060	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\39080b718b5fd386e181eae293d3dd8e.exe
"C:\Users\Admin\AppData\Local\Temp\39080b718b5fd386e181eae293d3dd8e.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9fIKLEDwsj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2296
- - C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fIKLEDwsj.bat

Filesize
241B

MD5
acf8438abd3d512c7228a6acb260f7aa

SHA1
ad99fc427112da4a7d4e1d7d4a97df8921a0d245

SHA256
fad3eeb9d091d09c7c9f28956876722d17911beeeb45fa1c0ac2fc182df63fb4

SHA512
7d685a73de19b2da64d4188f72c7c4e9554bd930a345fe77321856e71d85a9782b4b704c1dc9b7d7bc9b6983669c1ea820f4c084e0e741d91a05aceb839ddf19

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
829KB

MD5
39080b718b5fd386e181eae293d3dd8e

SHA1
d08ff7cf2dd523b14453fc3a2403fc08adc8185e

SHA256
eae062b9aa062793a84a0c5b60223aab93f29f995de6250720610ba248945162

SHA512
11744429f505482bd88d17947ef192f468966b7d7b875ed67ae7a908313f300ef0bbf9cb326d526a169a93c23fa7417bb71a04bd9fa07d6bd5ef9e37f9987aff

Download Submit
memory/4876-0-0x00007FF9DE873000-0x00007FF9DE875000-memory.dmp

Filesize
8KB

Download
memory/4876-1-0x0000000000700000-0x00000000007D6000-memory.dmp

Filesize
856KB

Download
memory/4876-4-0x00007FF9DE870000-0x00007FF9DF331000-memory.dmp

Filesize
10.8MB

Download
memory/4876-22-0x00007FF9DE870000-0x00007FF9DF331000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads