dcrat | c2bd0a38a4cb588ce6810b40e587b0bc019d1806e963ead76a27e13de707787e

General

Target

blockcomponentbroker.exe
Size

315KB
MD5

54a9243a4fb9ac14e2b20d9e572d92ca
SHA1

a9a04900fcdb00eaeb1ddb785052416fe098f8d3
SHA256

c2bd0a38a4cb588ce6810b40e587b0bc019d1806e963ead76a27e13de707787e
SHA512

cdcb15c7b4a20149fb42ef58afe69267542c68cc514d386479952c5e7061b78a8c8d366ea66f64adf914e6b59bd899f3424dc81a086b694165d6f449ec771aac
SSDEEP

6144:Nhky2oo7KkpZv/gsOPOw891ZdjkxLv+vFRLH4qUdx7bvr9u:NT2N71jQsOwZdbLYXdxfZ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2972	schtasks.exe
		1504	schtasks.exe
		2944	schtasks.exe
		2068	schtasks.exe
File created	C:\Windows\es-ES\42af1c969fbb7b		blockcomponentbroker.exe
		2220	schtasks.exe
		2880	schtasks.exe
		2140	schtasks.exe
		2512	schtasks.exe
		3040	schtasks.exe
		2908	schtasks.exe
		1964	schtasks.exe
		2924	schtasks.exe
		2788	schtasks.exe
		2012	schtasks.exe
		1196	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2372	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2372	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2060-1-0x0000000000D20000-0x0000000000D76000-memory.dmp	dcrat
behavioral1/memory/2316-15-0x00000000002C0000-0x0000000000316000-memory.dmp	dcrat
behavioral1/files/0x0005000000019643-18.dat	dcrat
behavioral1/memory/2988-27-0x0000000000870000-0x00000000008C6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2988	lsm.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lsm.exe	blockcomponentbroker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lsm.exe	blockcomponentbroker.exe
File created	C:\Program Files\VideoLAN\VLC\101b941d020240	blockcomponentbroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\audiodg.exe	blockcomponentbroker.exe
File created	C:\Windows\es-ES\42af1c969fbb7b	blockcomponentbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe
2220	schtasks.exe
2788	schtasks.exe
2512	schtasks.exe
2012	schtasks.exe
2140	schtasks.exe
2880	schtasks.exe
2972	schtasks.exe
1964	schtasks.exe
1504	schtasks.exe
2068	schtasks.exe
2924	schtasks.exe
2908	schtasks.exe
1196	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2060	blockcomponentbroker.exe
2316	blockcomponentbroker.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe
2988	lsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	blockcomponentbroker.exe
Token: SeDebugPrivilege	2316	blockcomponentbroker.exe
Token: SeDebugPrivilege	2988	lsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2816	2060	blockcomponentbroker.exe	40
PID 2060 wrote to memory of 2816	2060	blockcomponentbroker.exe	40
PID 2060 wrote to memory of 2816	2060	blockcomponentbroker.exe	40
PID 2816 wrote to memory of 2732	2816	cmd.exe	42
PID 2816 wrote to memory of 2732	2816	cmd.exe	42
PID 2816 wrote to memory of 2732	2816	cmd.exe	42
PID 2816 wrote to memory of 2316	2816	cmd.exe	44
PID 2816 wrote to memory of 2316	2816	cmd.exe	44
PID 2816 wrote to memory of 2316	2816	cmd.exe	44
PID 2316 wrote to memory of 1080	2316	blockcomponentbroker.exe	51
PID 2316 wrote to memory of 1080	2316	blockcomponentbroker.exe	51
PID 2316 wrote to memory of 1080	2316	blockcomponentbroker.exe	51
PID 1080 wrote to memory of 1924	1080	cmd.exe	53
PID 1080 wrote to memory of 1924	1080	cmd.exe	53
PID 1080 wrote to memory of 1924	1080	cmd.exe	53
PID 1080 wrote to memory of 2988	1080	cmd.exe	54
PID 1080 wrote to memory of 2988	1080	cmd.exe	54
PID 1080 wrote to memory of 2988	1080	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\blockcomponentbroker.exe
"C:\Users\Admin\AppData\Local\Temp\blockcomponentbroker.exe"
1⤵
- DcRat
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLyJnF7XrG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\blockcomponentbroker.exe
    "C:\Users\Admin\AppData\Local\Temp\blockcomponentbroker.exe"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1924
    - - C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe

Filesize
315KB

MD5
54a9243a4fb9ac14e2b20d9e572d92ca

SHA1
a9a04900fcdb00eaeb1ddb785052416fe098f8d3

SHA256
c2bd0a38a4cb588ce6810b40e587b0bc019d1806e963ead76a27e13de707787e

SHA512
cdcb15c7b4a20149fb42ef58afe69267542c68cc514d386479952c5e7061b78a8c8d366ea66f64adf914e6b59bd899f3424dc81a086b694165d6f449ec771aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat

Filesize
202B

MD5
ec2288380bc95d645969d713e0fa5fef

SHA1
dbb683e14c91550eb90f813a6c098ddc53762747

SHA256
9358deb7bb7b78bc3dadbc4949f2e5732508cb3691abe301b21e64b31bf206ff

SHA512
99b1570096dfd3a55c0f2dc8172f88af7d8189be3c43baf0186924e8d0c958876f53f3fcd4cbbc28ea186f28779c62412f893e5a9f520e0ce5837a0b7152b819

Download Submit
C:\Users\Admin\AppData\Local\Temp\tLyJnF7XrG.bat

Filesize
223B

MD5
74db4314907446e9bf934eaebfa9bf40

SHA1
abffcc3bce41b2e5554879172657fc2bc00ab6d6

SHA256
505a8d2131f77ed4ae46568c245f880600e9c92be8c48442eef296829e5f9989

SHA512
22f92bebb144547a48507a126fa51c51b3ed56a93b2c055a86ca4fc57c78ce406456fa7f86778b73c540190b88474a99fd7d16ee3750e6a1abc0ae24d01699a4

Download Submit
memory/2060-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000000D20000-0x0000000000D76000-memory.dmp

Filesize
344KB

Download
memory/2060-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2060-14-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-15-0x00000000002C0000-0x0000000000316000-memory.dmp

Filesize
344KB

Download
memory/2988-27-0x0000000000870000-0x00000000008C6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads