dcrat | 0295fc7acaed48393649e69a4a604a682afd9fa832d6c69ba5a0ed6f15471fe4

General

Target

xlib86.exe
Size

624KB
MD5

15d1f00d56be9a75ef838df7296fd36e
SHA1

eaecc49bebee74cd142af04ba5047acfc1c10db2
SHA256

0295fc7acaed48393649e69a4a604a682afd9fa832d6c69ba5a0ed6f15471fe4
SHA512

9f61f4350ef961b9ef29930f9fcfca0b756cb8fe1b48707b6be591cdfd71f1347996566bfb89cdb543ee39d2ad899019a7638429f340f6351d5043258933e437
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbga2N7O+WJu/Z9kBTdxFZA:u2G/nvxW3WieCga2LGMkLxFi

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	532	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014510-9.dat	dcrat
behavioral1/memory/2448-13-0x0000000000B10000-0x0000000000B66000-memory.dmp	dcrat
behavioral1/memory/1888-32-0x00000000009D0000-0x0000000000A26000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2448	Bridgereviewruntime.exe
1888	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	cmd.exe
2416	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\System.exe	Bridgereviewruntime.exe
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\27d1bcfc3c54e0	Bridgereviewruntime.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\42af1c969fbb7b	Bridgereviewruntime.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe	Bridgereviewruntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\csrss.exe	Bridgereviewruntime.exe
File created	C:\Windows\Globalization\886983d96e3d3e	Bridgereviewruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xlib86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
872	schtasks.exe
1592	schtasks.exe
1068	schtasks.exe
876	schtasks.exe
2788	schtasks.exe
684	schtasks.exe
2856	schtasks.exe
1936	schtasks.exe
1640	schtasks.exe
1572	schtasks.exe
1408	schtasks.exe
2800	schtasks.exe
2844	schtasks.exe
2860	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2448	Bridgereviewruntime.exe
2448	Bridgereviewruntime.exe
2448	Bridgereviewruntime.exe
1888	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	Bridgereviewruntime.exe
Token: SeDebugPrivilege	1888	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2628	2032	xlib86.exe	28
PID 2032 wrote to memory of 2628	2032	xlib86.exe	28
PID 2032 wrote to memory of 2628	2032	xlib86.exe	28
PID 2032 wrote to memory of 2628	2032	xlib86.exe	28
PID 2628 wrote to memory of 2416	2628	WScript.exe	31
PID 2628 wrote to memory of 2416	2628	WScript.exe	31
PID 2628 wrote to memory of 2416	2628	WScript.exe	31
PID 2628 wrote to memory of 2416	2628	WScript.exe	31
PID 2416 wrote to memory of 2448	2416	cmd.exe	33
PID 2416 wrote to memory of 2448	2416	cmd.exe	33
PID 2416 wrote to memory of 2448	2416	cmd.exe	33
PID 2416 wrote to memory of 2448	2416	cmd.exe	33
PID 2448 wrote to memory of 2760	2448	Bridgereviewruntime.exe	50
PID 2448 wrote to memory of 2760	2448	Bridgereviewruntime.exe	50
PID 2448 wrote to memory of 2760	2448	Bridgereviewruntime.exe	50
PID 2760 wrote to memory of 2964	2760	cmd.exe	52
PID 2760 wrote to memory of 2964	2760	cmd.exe	52
PID 2760 wrote to memory of 2964	2760	cmd.exe	52
PID 2760 wrote to memory of 1888	2760	cmd.exe	53
PID 2760 wrote to memory of 1888	2760	cmd.exe	53
PID 2760 wrote to memory of 1888	2760	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xlib86.exe
"C:\Users\Admin\AppData\Local\Temp\xlib86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\pMePjNUURw4Ot6IwNhicgojYWDsEz7.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\Som72M4dn0.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\Bridgereviewruntime.exe
      "C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\Bridgereviewruntime.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ngnld7v5x.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2964
      - C:\Windows\Globalization\csrss.exe
        
        "C:\Windows\Globalization\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ngnld7v5x.bat

Filesize
199B

MD5
ef77b2cd6ff169eda200957cc933b2fc

SHA1
969f5bc1dd016b55885ff9344321f4236e04b1ed

SHA256
b9d27d988fddd28cfc9e5e50d830c7f841e0ba36d046d72090fc3e2d51234844

SHA512
a507bb8f52bfe0150417fc2908196b48fd7555f4abb6aa99ffec75f1d69cbccf04a2564d62cc858e5059c819f040474393b49073f4ea8c24d7b995a3aaa15086

Download Submit
C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\Som72M4dn0.bat

Filesize
63B

MD5
6b7662b51c0f51c6fb049704e8036428

SHA1
57555e985661213fa76cdbca884d40a6a87f184f

SHA256
2474dbbe8882ad565c957c3fbee14970e5275a0dea4fa21f31196e2c68c08ff8

SHA512
0db65f64583eb9b4619fa0992f9d72aaad654eebe76b6a6a5174d3db97e9ed506e7f5ae3d7f56c9f2a110006e7c8617881759b2734d7ac72cc323065bf37167b

Download Submit
C:\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\pMePjNUURw4Ot6IwNhicgojYWDsEz7.vbe

Filesize
222B

MD5
4c50c05f5f29b843d193aada8904def2

SHA1
7a2fda1bd825504e53778699cff394e8743135e0

SHA256
ca5ad7488b13ef487e396935d7c9fc873f57b5e0a704ca1c8a62e12cab603b3f

SHA512
2acd62e4969c79158a549e98049f4f16b23f4935d1c738eac28fbdcf438c37d9898e851a70b95e6cc370af4f4358e76305de5becb0f629c90060cf60f8742893

Download Submit
\Users\Admin\AppData\Roaming\Surrogatewinhostmonitordhcp\Bridgereviewruntime.exe

Filesize
315KB

MD5
2a5bed825656944c96823365a6b3088a

SHA1
b7a6e72fec28e495ffd3abe97d6816b12dbf1b93

SHA256
09014ace13041938006ef68e2a5d62f744ad5ccec26c253c3e2cd760cc6d9bc2

SHA512
284f82c27dd9add34ac9981b9ff69e3b3e58dd3fe5f1840170df906e1be3e2db7264505749471cfc2a0b911b1d09db6a9d142bd3e0870511d383ba50e4b1a42e

Download Submit
memory/1888-32-0x00000000009D0000-0x0000000000A26000-memory.dmp

Filesize
344KB

Download
memory/2448-13-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads