dcrat | 841ac24e73d5991bc0e7249257bda26329a9242829cf0e502e267725816fa2cb

General

Target

88ElUKogRKGiq.exe
Size

1.1MB
MD5

98bc6986b35fa731860febb8f60de8fb
SHA1

b985bdb9d2f2d6ac3085ca5f176f0a0d880bb31e
SHA256

841ac24e73d5991bc0e7249257bda26329a9242829cf0e502e267725816fa2cb
SHA512

92724f813370fffa7fe60ba35547e1282f2b1b521a45e6bac9bd42943c5a64519863b0c78fc9a0a38d71577b1e5e5d7a61754f6c921ec962c6b4b84e76db8e7c
SSDEEP

24576:P2G/nvxW3WB0A5wH9WpcT5neONb8GM2IgYg:PbA3TA5kWIzM2P

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2924	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2924	schtasks.exe	93

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x000a000000023b85-10.dat	dcrat
behavioral3/memory/3116-13-0x0000000000D00000-0x0000000000DD6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	88ElUKogRKGiq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	reviewCrtsvc.exe

Executes dropped EXE 2 IoCs

pid	Process
3116	reviewCrtsvc.exe
1096	upfc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\lsass.exe	reviewCrtsvc.exe
File created	C:\Program Files\Windows Portable Devices\upfc.exe	reviewCrtsvc.exe
File created	C:\Program Files\Windows Portable Devices\ea1d8f6d871115	reviewCrtsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\wininit.exe	reviewCrtsvc.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	reviewCrtsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\56085415360792	reviewCrtsvc.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	reviewCrtsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe	reviewCrtsvc.exe
File created	C:\Windows\PrintDialog\Assets\55b276f4edf653	reviewCrtsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ElUKogRKGiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	88ElUKogRKGiq.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	reviewCrtsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4592	schtasks.exe
2052	schtasks.exe
4260	schtasks.exe
1616	schtasks.exe
1720	schtasks.exe
2520	schtasks.exe
3896	schtasks.exe
224	schtasks.exe
2036	schtasks.exe
4640	schtasks.exe
2364	schtasks.exe
1756	schtasks.exe
1104	schtasks.exe
4368	schtasks.exe
4428	schtasks.exe
4492	schtasks.exe
3380	schtasks.exe
4772	schtasks.exe
2712	schtasks.exe
1496	schtasks.exe
2564	schtasks.exe
4188	schtasks.exe
3356	schtasks.exe
3820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
3116	reviewCrtsvc.exe
1096	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	reviewCrtsvc.exe
Token: SeDebugPrivilege	1096	upfc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3648	2916	88ElUKogRKGiq.exe	86
PID 2916 wrote to memory of 3648	2916	88ElUKogRKGiq.exe	86
PID 2916 wrote to memory of 3648	2916	88ElUKogRKGiq.exe	86
PID 3648 wrote to memory of 1192	3648	WScript.exe	90
PID 3648 wrote to memory of 1192	3648	WScript.exe	90
PID 3648 wrote to memory of 1192	3648	WScript.exe	90
PID 1192 wrote to memory of 3116	1192	cmd.exe	92
PID 1192 wrote to memory of 3116	1192	cmd.exe	92
PID 3116 wrote to memory of 4228	3116	reviewCrtsvc.exe	118
PID 3116 wrote to memory of 4228	3116	reviewCrtsvc.exe	118
PID 4228 wrote to memory of 1996	4228	cmd.exe	120
PID 4228 wrote to memory of 1996	4228	cmd.exe	120
PID 4228 wrote to memory of 1096	4228	cmd.exe	121
PID 4228 wrote to memory of 1096	4228	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88ElUKogRKGiq.exe
"C:\Users\Admin\AppData\Local\Temp\88ElUKogRKGiq.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperBrowserBrokerHostdll\hqtgty6IfA4McJT.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hyperBrowserBrokerHostdll\QZQrYx5okPQ1f3mC3Fq9VHqmR.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe
      "C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ez8uV7NlQ7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1996
      - C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\Assets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ez8uV7NlQ7.bat

Filesize
215B

MD5
94da44a6ea71628197260b1467dae3d1

SHA1
b6afb1aae29297fcb61e6c506ef9ccfa51cc188e

SHA256
c76d35a46447530a8d8b20cae443f68a188d24c93771cb8e0f01e194bf7f226c

SHA512
2e6c9bea371312a3cc1a90e2e113aedeef611d83cda5e236d6574dec2c468d30f1ebd325730adf19ad1229f8d1dab5c7066217025849c2628f3c79824011ef11

Download Submit
C:\hyperBrowserBrokerHostdll\QZQrYx5okPQ1f3mC3Fq9VHqmR.bat

Filesize
47B

MD5
d67d10f75b7b4e28c503707953b32fb3

SHA1
6eaaf8c76c19aef7dd0df0845bed1f875f5f012d

SHA256
968eefb7861382be8c5f2cb8d9174862fd64bd021f9fcffa729c811dc458a762

SHA512
f02de49c0812fafd965fffa99fff8c380f8d08293742e8dd611b5cb4702797673c9ff9d60a0047b2b22574ea00618b995241ec6d977b8fe7a67e11d88282cf78

Download Submit
C:\hyperBrowserBrokerHostdll\hqtgty6IfA4McJT.vbe

Filesize
227B

MD5
84b41cd7fb87e8363ba0d99f69a603d5

SHA1
785000ebb18ea91e258d5519989dba717dea19fd

SHA256
cc3bfde414a2dc3ff114cd64e135853553a477cfd8eba0240e4b3ba36edc3029

SHA512
33c7b363a21cb1c4802012b007a42ec1566c7978b29f01233ba1365168478c00672749688d3c1a156816695ebc3eeeda98c48ac9b784b258580b32ad0175682e

Download Submit
C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe

Filesize
827KB

MD5
0ca5ff2ae7c8e10ad70a298713d4b1ac

SHA1
85c10fc211d92759b5782961ad31b536386d778b

SHA256
e071281f0960acaaf5ec5d8c1607355420ef969e1231b530659328b46d640ef5

SHA512
6c7fac54a64f1bf81413a5bed75086096be3308ae0d90e2d8def19819d88598389db2da9296b7231056acd95cc1dee5ff167798a830189684faafc401319291d

Download Submit
memory/3116-12-0x00007FF804C33000-0x00007FF804C35000-memory.dmp

Filesize
8KB

Download
memory/3116-13-0x0000000000D00000-0x0000000000DD6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads