dcrat | 8c3a7033ee06a047f453f22368007970407fdd15e73bca372c72f70cfb89b4ab

General

Target

3e6f4e16f8da924256118e6c9cdaa7f2.exe
Size

1.2MB
MD5

3e6f4e16f8da924256118e6c9cdaa7f2
SHA1

87b7927fb99d36a91b09ee9fa3807ef418a960b8
SHA256

8c3a7033ee06a047f453f22368007970407fdd15e73bca372c72f70cfb89b4ab
SHA512

b3df11ec860740a4ea874177cb222df715cc424b55df5454213c5b6a3ff6fb1d30e9bc9fd207afdeaff0e41961c694f915535c1fd64ab32d1066f5337193a69d
SSDEEP

24576:bmYejVvCekg5dxjMlM/R3DxnI2IbqvXTsb8:bmF4g9IUIN2r

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	1096	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1096	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4172-1-0x0000000000540000-0x0000000000680000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b84-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	3e6f4e16f8da924256118e6c9cdaa7f2.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	upfc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\27d1bcfc3c54e0	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\sppsvc.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\27d1bcfc3c54e0	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files (x86)\Windows Mail\System.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\0a1fd5f707cd16	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\System.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\dllhost.exe	3e6f4e16f8da924256118e6c9cdaa7f2.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	3e6f4e16f8da924256118e6c9cdaa7f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	3e6f4e16f8da924256118e6c9cdaa7f2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
948	schtasks.exe
1496	schtasks.exe
3108	schtasks.exe
208	schtasks.exe
1440	schtasks.exe
1500	schtasks.exe
3192	schtasks.exe
2000	schtasks.exe
3264	schtasks.exe
3260	schtasks.exe
3128	schtasks.exe
1772	schtasks.exe
3956	schtasks.exe
2200	schtasks.exe
5088	schtasks.exe
2088	schtasks.exe
2140	schtasks.exe
2060	schtasks.exe
100	schtasks.exe
4464	schtasks.exe
2004	schtasks.exe
4444	schtasks.exe
4628	schtasks.exe
4880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
2920	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe
Token: SeDebugPrivilege	2920	upfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 448	4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe	108
PID 4172 wrote to memory of 448	4172	3e6f4e16f8da924256118e6c9cdaa7f2.exe	108
PID 448 wrote to memory of 2736	448	cmd.exe	110
PID 448 wrote to memory of 2736	448	cmd.exe	110
PID 448 wrote to memory of 2920	448	cmd.exe	112
PID 448 wrote to memory of 2920	448	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e6f4e16f8da924256118e6c9cdaa7f2.exe
"C:\Users\Admin\AppData\Local\Temp\3e6f4e16f8da924256118e6c9cdaa7f2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guhWoINh9v.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2736
- - C:\Program Files (x86)\Windows Portable Devices\upfc.exe
    "C:\Program Files (x86)\Windows Portable Devices\upfc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\System.exe

Filesize
1.2MB

MD5
3e6f4e16f8da924256118e6c9cdaa7f2

SHA1
87b7927fb99d36a91b09ee9fa3807ef418a960b8

SHA256
8c3a7033ee06a047f453f22368007970407fdd15e73bca372c72f70cfb89b4ab

SHA512
b3df11ec860740a4ea874177cb222df715cc424b55df5454213c5b6a3ff6fb1d30e9bc9fd207afdeaff0e41961c694f915535c1fd64ab32d1066f5337193a69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\guhWoINh9v.bat

Filesize
221B

MD5
8a479162f9304250cacaffb05eb53e61

SHA1
86596e7942ef183c77b2daf60245f0ab1532fa1b

SHA256
14493e75b4f8b40ec9274d14cbcfe2146ce46106a4132da3a3929723c23dc9d2

SHA512
e62ee8b5844f05e0f4b80c53088563e5de2b6e8bbceba2f3c783af9d6b1f941fa0ee4f1d54312b347d7c32565439363ea28bfc477a35c9f746994a06dd1841c7

Download Submit
memory/4172-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/4172-1-0x0000000000540000-0x0000000000680000-memory.dmp

Filesize
1.2MB

Download
memory/4172-2-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/4172-24-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads