dcrat | dd16f7cc4746193b2976567db0d2d584a5027ee7a84532a0d937b55ab1a6b8a6

General

Target

90e289ec47b4928d52b7112812a02814.exe
Size

1.2MB
MD5

90e289ec47b4928d52b7112812a02814
SHA1

f557de05746d7c22664c5919269c4ba508633887
SHA256

dd16f7cc4746193b2976567db0d2d584a5027ee7a84532a0d937b55ab1a6b8a6
SHA512

214400ce98489b7ca011b12aca9c85a12d15f774d4a12c2c42d0a8203db4104b6d12f5c3b02ba269b1a719ffcd75e0c85c347248e3384f6bc39ec553bb89bba2
SSDEEP

24576:qzQllN3bTfSMnKX/gdJ9FMdoV2LQB9adKOVSpKKoCPD:vtzaCBUdKUSpKde

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1260	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2272-1-0x00000000011F0000-0x0000000001332000-memory.dmp	dcrat
behavioral1/files/0x0009000000016d22-21.dat	dcrat
behavioral1/memory/1976-23-0x00000000011E0000-0x0000000001322000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1976	spoolsv.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\dwm.exe	90e289ec47b4928d52b7112812a02814.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	90e289ec47b4928d52b7112812a02814.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe	90e289ec47b4928d52b7112812a02814.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64	90e289ec47b4928d52b7112812a02814.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\spoolsv.exe	90e289ec47b4928d52b7112812a02814.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	90e289ec47b4928d52b7112812a02814.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	90e289ec47b4928d52b7112812a02814.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe
2824	schtasks.exe
2384	schtasks.exe
2512	schtasks.exe
1804	schtasks.exe
2836	schtasks.exe
2728	schtasks.exe
2076	schtasks.exe
2636	schtasks.exe
2584	schtasks.exe
3008	schtasks.exe
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2272	90e289ec47b4928d52b7112812a02814.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe
1976	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1976	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	90e289ec47b4928d52b7112812a02814.exe
Token: SeDebugPrivilege	1976	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2996	2272	90e289ec47b4928d52b7112812a02814.exe	43
PID 2272 wrote to memory of 2996	2272	90e289ec47b4928d52b7112812a02814.exe	43
PID 2272 wrote to memory of 2996	2272	90e289ec47b4928d52b7112812a02814.exe	43
PID 2996 wrote to memory of 2396	2996	cmd.exe	45
PID 2996 wrote to memory of 2396	2996	cmd.exe	45
PID 2996 wrote to memory of 2396	2996	cmd.exe	45
PID 2996 wrote to memory of 1976	2996	cmd.exe	47
PID 2996 wrote to memory of 1976	2996	cmd.exe	47
PID 2996 wrote to memory of 1976	2996	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90e289ec47b4928d52b7112812a02814.exe
"C:\Users\Admin\AppData\Local\Temp\90e289ec47b4928d52b7112812a02814.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oenbPsVKIi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2396
- - C:\Users\All Users\Desktop\spoolsv.exe
    "C:\Users\All Users\Desktop\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oenbPsVKIi.bat

Filesize
203B

MD5
199729b57287e5f8d4e97c8d66a43d40

SHA1
5ead7daf8f9ea53d1d1552ee6da6e100c4cea5fa

SHA256
c9c1a92a7a27706526869c549645033a80a835b99b8bb834f0e0c311d361a622

SHA512
292db502d7f49b97e54814cc0f74646ca63886c9d8f8041c028597d67920ceba08f18a3c28b16aaa5e6ee56717d5a53efe2ed4b025901f4e2d052cd0103ca241

Download Submit
C:\Users\All Users\Desktop\spoolsv.exe

Filesize
1.2MB

MD5
90e289ec47b4928d52b7112812a02814

SHA1
f557de05746d7c22664c5919269c4ba508633887

SHA256
dd16f7cc4746193b2976567db0d2d584a5027ee7a84532a0d937b55ab1a6b8a6

SHA512
214400ce98489b7ca011b12aca9c85a12d15f774d4a12c2c42d0a8203db4104b6d12f5c3b02ba269b1a719ffcd75e0c85c347248e3384f6bc39ec553bb89bba2

Download Submit
memory/1976-23-0x00000000011E0000-0x0000000001322000-memory.dmp

Filesize
1.3MB

Download
memory/2272-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x00000000011F0000-0x0000000001332000-memory.dmp

Filesize
1.3MB

Download
memory/2272-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-3-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/2272-4-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2272-5-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/2272-6-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2272-19-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads