dcrat | 09d131517a12fb5f3b9079f920b9ff6328de6955812f592ba6ae31f4287d3617

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

e57a019d1bc08061c8d91d8f27c22325
SHA1

b1a3eadefec298a7f5dafe2d59ced44ff7d6abb3
SHA256

09d131517a12fb5f3b9079f920b9ff6328de6955812f592ba6ae31f4287d3617
SHA512

83a387cc2b0f33d4b5f6e8e94835f5658b85201e5c8015d83d70e6de3d8bad101643475ffe6e20883fd5a3b9b8249dde5ec0fdb4db082aeba7c0a9b9dc1c5b70
SSDEEP

24576:U2G/nvxW3Ww0tGN/1dmETXhEK5LH8wBeHr8N:UbA30GN/1FXhVLcw+rc

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	952	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	952	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023bb0-10.dat	dcrat
behavioral2/memory/3404-13-0x0000000000D10000-0x0000000000DE6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	blockServer.exe

Executes dropped EXE 2 IoCs

pid	Process
3404	blockServer.exe
396	StartMenuExperienceHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\55b276f4edf653	blockServer.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\121e5b5079f7c0	blockServer.exe
File created	C:\Program Files\VideoLAN\fontdrvhost.exe	blockServer.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe	blockServer.exe
File created	C:\Program Files\Windows Security\BrowserCore\55b276f4edf653	blockServer.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe	blockServer.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe	blockServer.exe
File created	C:\Program Files\VideoLAN\5b884080fd4f94	blockServer.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	blockServer.exe
File created	C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe	blockServer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\es-ES\dwm.exe	blockServer.exe
File created	C:\Windows\PolicyDefinitions\es-ES\6cb0b6c459d5d3	blockServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	blockServer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
532	schtasks.exe
1680	schtasks.exe
3016	schtasks.exe
3896	schtasks.exe
3572	schtasks.exe
1224	schtasks.exe
4740	schtasks.exe
3056	schtasks.exe
4264	schtasks.exe
2936	schtasks.exe
836	schtasks.exe
2484	schtasks.exe
4176	schtasks.exe
1880	schtasks.exe
708	schtasks.exe
3208	schtasks.exe
4836	schtasks.exe
2660	schtasks.exe
1472	schtasks.exe
4896	schtasks.exe
2404	schtasks.exe
4904	schtasks.exe
632	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3404	blockServer.exe
3404	blockServer.exe
3404	blockServer.exe
396	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	blockServer.exe
Token: SeDebugPrivilege	396	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1620	4680	DCRatBuild.exe	84
PID 4680 wrote to memory of 1620	4680	DCRatBuild.exe	84
PID 4680 wrote to memory of 1620	4680	DCRatBuild.exe	84
PID 1620 wrote to memory of 1496	1620	WScript.exe	86
PID 1620 wrote to memory of 1496	1620	WScript.exe	86
PID 1620 wrote to memory of 1496	1620	WScript.exe	86
PID 1496 wrote to memory of 3404	1496	cmd.exe	88
PID 1496 wrote to memory of 3404	1496	cmd.exe	88
PID 3404 wrote to memory of 964	3404	blockServer.exe	115
PID 3404 wrote to memory of 964	3404	blockServer.exe	115
PID 964 wrote to memory of 2452	964	cmd.exe	117
PID 964 wrote to memory of 2452	964	cmd.exe	117
PID 964 wrote to memory of 396	964	cmd.exe	125
PID 964 wrote to memory of 396	964	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComWebSessionbroker\JasNTlJ43oUjNOXJ6GLnSa5WXs.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComWebSessionbroker\1ajAOSAhS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\ComWebSessionbroker\blockServer.exe
      "C:\ComWebSessionbroker\blockServer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\glOJKUDbnd.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2452
      - C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\ComWebSessionbroker\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ComWebSessionbroker\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\ComWebSessionbroker\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComWebSessionbroker\1ajAOSAhS.bat

Filesize
40B

MD5
d3d25823ce836fca7f72fe2538d7920d

SHA1
71738f97c44dc40a6668e636c54c2afd9ede370f

SHA256
60b5d65e7af9bf924503bc1b62c30381b859504c08cc23316dba55107bfc739d

SHA512
8528a66f0e71446dd42300c39a2e52d78f34afcad2fdf477311074322b1628d192533996864e11d27f702e333cc37468b32f5346109159092206bf68d45e73b7

Download Submit
C:\ComWebSessionbroker\JasNTlJ43oUjNOXJ6GLnSa5WXs.vbe

Filesize
205B

MD5
b7f0ab71e54ffa7c8748b76dc631cd43

SHA1
769a64d7483fa72d61a1d15f10c1b1401fae10f3

SHA256
871d73883a509ab02bf2dda5098434a5ac7430b0ef65c6400190e4171f4b540c

SHA512
6edbe941b8325a7e7dc7cf453044226a8dcf7258f8d526822efe028a56daf74b7fb90ebaf4ede855367872006e106922d280df9cbcb2fd4bdfead21bb0bfd267

Download Submit
C:\ComWebSessionbroker\blockServer.exe

Filesize
829KB

MD5
579731eb1a659552a99fcbf80d358779

SHA1
e96a8cb05ae216cd003a298fe559663a57d21b31

SHA256
fd4d52c4ef4fd4378086c952f612b749279ed96f50ad66a815077196e8686585

SHA512
f84002afbd1cdb377aead468ea3713177bf3abbaf15155cf412e0eb7247e30d964f0eb370ef257675d41bf0e2bc5eeebe975392ebca327f874afb147f5a57647

Download Submit
C:\Users\Admin\AppData\Local\Temp\glOJKUDbnd.bat

Filesize
238B

MD5
a77c14efd9c2a0df2c4881b6b857c990

SHA1
969a306455e703dddbe944a3ede3a350ceae83e1

SHA256
a17587ad14b27488efd458f10da66e14ecf1aacd1697b740759d4dfb76e52a4c

SHA512
30efdb65a73b4fe5b80141baa14725dad378abd7a3cc2fb0c52039837339ce019b7e0d9a4d1b4145a1e677bbffeffa7b56c5ea5f51ad98cfaf3a44ec5ca57199

Download Submit
memory/3404-12-0x00007FF9FEB23000-0x00007FF9FEB25000-memory.dmp

Filesize
8KB

Download
memory/3404-13-0x0000000000D10000-0x0000000000DE6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads