dcrat | 0c240b2768116ef0f03af241b177004e5e456ed9039744c8619956d0c960d31e

General

Target

RobloxVersionFix.exe
Size

1.7MB
MD5

c4ecabd9a15748628acdb4eabe1f5733
SHA1

2abc8d0b03faae2a3dfbb5b3ace7bb049a895a49
SHA256

0c240b2768116ef0f03af241b177004e5e456ed9039744c8619956d0c960d31e
SHA512

9d673547d7369a18f9254f1b73ea33aadb51e6c84da8c6de84f5fe0bd7e3813778f980ea6646ff32d1b981bc56c8751acfa877025cb835088ec72c2bea24e687
SSDEEP

24576:h2G/nvxW3W70w+LhSRJVv14LegEY2nac1VbECN8Bz5jftyrp9+CA:hbA3pw+eJJ4pzZtU+

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3796	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3796	schtasks.exe	93

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000b000000023f6a-10.dat	dcrat
behavioral2/memory/1508-13-0x0000000000F60000-0x00000000010A0000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RobloxVersionFix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	surrogateproviderSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
1508	surrogateproviderSvc.exe
1168	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
34	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxVersionFix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RobloxVersionFix.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	surrogateproviderSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3172	schtasks.exe
4332	schtasks.exe
4208	schtasks.exe
5068	schtasks.exe
4492	schtasks.exe
4468	schtasks.exe
2028	schtasks.exe
536	schtasks.exe
4800	schtasks.exe
2192	schtasks.exe
4660	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1508	surrogateproviderSvc.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe
1168	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1168	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	surrogateproviderSvc.exe
Token: SeDebugPrivilege	1168	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3668	456	RobloxVersionFix.exe	88
PID 456 wrote to memory of 3668	456	RobloxVersionFix.exe	88
PID 456 wrote to memory of 3668	456	RobloxVersionFix.exe	88
PID 3668 wrote to memory of 4648	3668	WScript.exe	95
PID 3668 wrote to memory of 4648	3668	WScript.exe	95
PID 3668 wrote to memory of 4648	3668	WScript.exe	95
PID 4648 wrote to memory of 1508	4648	cmd.exe	97
PID 4648 wrote to memory of 1508	4648	cmd.exe	97
PID 1508 wrote to memory of 3096	1508	surrogateproviderSvc.exe	111
PID 1508 wrote to memory of 3096	1508	surrogateproviderSvc.exe	111
PID 3096 wrote to memory of 3716	3096	cmd.exe	113
PID 3096 wrote to memory of 3716	3096	cmd.exe	113
PID 3096 wrote to memory of 1168	3096	cmd.exe	115
PID 3096 wrote to memory of 1168	3096	cmd.exe	115
PID 1168 wrote to memory of 756	1168	RuntimeBroker.exe	116
PID 1168 wrote to memory of 756	1168	RuntimeBroker.exe	116
PID 1168 wrote to memory of 4956	1168	RuntimeBroker.exe	117
PID 1168 wrote to memory of 4956	1168	RuntimeBroker.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\DriverbrokerCrt\8os3Em7t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\DriverbrokerCrt\surrogateproviderSvc.exe
      "C:\DriverbrokerCrt\surrogateproviderSvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nw9x68jjIH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3716
      - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fef009b-5f95-4c7e-bff9-33e042c1837a.vbs"
        7⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c96ff63-cfc4-445e-90f4-589b2f09795c.vbs"
        7⤵
        
        PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\0154351536fc379faee1\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\DriverbrokerCrt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\DriverbrokerCrt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\DriverbrokerCrt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverbrokerCrt\8os3Em7t.bat

Filesize
45B

MD5
8405523b77e502a8c914dc70b892f108

SHA1
2e861fbbb6d8c0c8d8202ffb465910daf421d731

SHA256
4dd3dbaedd2a4d877343c570eddc9e12cfa97e448ae2592cc935e3f01f425634

SHA512
1a08c548af62031afe3dd82acfd33d9334c97c5bd50d2e23e44bd327ad35f952124679c0be0adbc8848cb3ca659928767aba0ebaebee8f7a1f1b8d748a5330fe

Download Submit
C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe

Filesize
200B

MD5
60c621e78018ae32d80ea7b1b1343f33

SHA1
cb52f961012f10d4b680155e6a6126cda3335f3e

SHA256
247abbd47f1a493ccbf109422cbba67f78a58dbe2866a2fad50899f18975b1bb

SHA512
9eca5dd5f44a01cfce920158599b3494b147ccbbc32d459488399917f9fcf3e0c87b54f63df61c5bca2dbc9ddde68aa11450fdc11e4945c02f56f118ec45003d

Download Submit
C:\DriverbrokerCrt\surrogateproviderSvc.exe

Filesize
1.2MB

MD5
b5badb070116d5e8125017ad9499762f

SHA1
9014974312328c23b2c5042ab83a12bf6f5da5a6

SHA256
7446c50c8697e9194564a0764f981ef475736a7dfbbc7ef10ed641c4d5e11cba

SHA512
86befc275da13cb4b7d00798883fcf65b07557d4c599da962573e5169e79126b1597997181961c5fb1a449dcc0210824d6583e654aef2879ba1dad6d4b89bc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c96ff63-cfc4-445e-90f4-589b2f09795c.vbs

Filesize
491B

MD5
dfb5c0bb8ec5d11edb53cf07ac3125f4

SHA1
1f3ed2c8651686fe9364dbdd7afbcde293fbcb9f

SHA256
6d1d00842825a63e889961305f074c8458d38b4d2971e1dc82abea9bb7b91364

SHA512
9d647ae0f0b29ff9a5b693ca9acffb15c372ceeef5e9e37188bc04b72a66c5f7b2fc4d3327b9603ec12ab837f76d6bcfefce454ce769aead6dfb303b970a9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fef009b-5f95-4c7e-bff9-33e042c1837a.vbs

Filesize
715B

MD5
346109717b2b4b44e08e1419f637c23f

SHA1
bc9638cfb3e3b46c5e0b0c21b28c024a25ea91b3

SHA256
0f6f5c0679c0dcb4967eb8e754c70ca90d5607ad6d848effa5a89e4d9931bb94

SHA512
4760dabfeb41dcfb0c86fa0562e756b5aa5e3ee7074dbecea75c72de99f3c773d4221b65332b25b5e570cbab7fd87a84c0b2aac92df090714e4d7af69e633a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nw9x68jjIH.bat

Filesize
204B

MD5
66b004467e85759bee79a168a7e7bcc7

SHA1
62771b8a037f749f607715a7bc76edbd721c0f43

SHA256
05692ea970e8e6a894ac1910e13bb55e4333993bb643ec9a45817a66b1ad0c4b

SHA512
fd1ad039af80c34a95bc09f770ade655f252794374503a79028ccd8049f272756e5be27426dea438675d9649734fdef1ae245de83e1b19736b94dc0656717638

Download Submit
memory/1508-14-0x000000001BB90000-0x000000001BBAC000-memory.dmp

Filesize
112KB

Download
memory/1508-16-0x000000001BBB0000-0x000000001BBC6000-memory.dmp

Filesize
88KB

Download
memory/1508-18-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/1508-17-0x0000000003260000-0x000000000326A000-memory.dmp

Filesize
40KB

Download
memory/1508-15-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/1508-13-0x0000000000F60000-0x00000000010A0000-memory.dmp

Filesize
1.2MB

Download
memory/1508-12-0x00007FF837473000-0x00007FF837475000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads