Analysis Overview
SHA256
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867
Threat Level: Known bad
The file 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867 was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-19 12:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-19 12:58
Reported
2023-11-19 13:00
Platform
win7-20231025-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Yammi_Loader.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2924 set thread context of 2860 | N/A | C:\Yammi_Loader.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
"C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"
C:\Yammi_Loader.exe
"C:\Yammi_Loader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\n34s4lmFbW.bat" "
C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232161cm.nyashtyan.top | udp |
| US | 188.114.96.0:80 | 232161cm.nyashtyan.top | tcp |
| US | 188.114.96.0:80 | 232161cm.nyashtyan.top | tcp |
Files
C:\Yammi_Loader.exe
| MD5 | c91f1703dc916f794558bf40b5eab38a |
| SHA1 | c020666495cb42db82515abae7cf35ca419636e9 |
| SHA256 | 7bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6 |
| SHA512 | e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699 |
C:\Yammi_Loader.exe
| MD5 | c91f1703dc916f794558bf40b5eab38a |
| SHA1 | c020666495cb42db82515abae7cf35ca419636e9 |
| SHA256 | 7bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6 |
| SHA512 | e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699 |
memory/2860-14-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-15-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-16-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-17-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2860-19-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-21-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-23-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2860-24-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2860-25-0x0000000004BD0000-0x0000000004C10000-memory.dmp
memory/2860-26-0x0000000000980000-0x000000000099C000-memory.dmp
memory/2860-27-0x00000000009A0000-0x00000000009B6000-memory.dmp
memory/2860-28-0x00000000009C0000-0x00000000009CE000-memory.dmp
memory/2860-29-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2860-47-0x0000000004BD0000-0x0000000004C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n34s4lmFbW.bat
| MD5 | c49a2e8de0f6d8a14ac8804c605bef75 |
| SHA1 | c7b69325d296a310cab7d3e09e837a46f69dfd59 |
| SHA256 | b874ed4c85d7f4743a92d3fca2472f1c800092002a80f4be4c58ad200f781d57 |
| SHA512 | 5b639cfa6440546ddfc4df556f5f0acec13ea2876ded99259386181b11046db0a3d00ca9c034845894eeede00de843ad96441c9f2004a01e67d34d036197b177 |
C:\Users\Admin\AppData\Local\Temp\n34s4lmFbW.bat
| MD5 | c49a2e8de0f6d8a14ac8804c605bef75 |
| SHA1 | c7b69325d296a310cab7d3e09e837a46f69dfd59 |
| SHA256 | b874ed4c85d7f4743a92d3fca2472f1c800092002a80f4be4c58ad200f781d57 |
| SHA512 | 5b639cfa6440546ddfc4df556f5f0acec13ea2876ded99259386181b11046db0a3d00ca9c034845894eeede00de843ad96441c9f2004a01e67d34d036197b177 |
memory/2860-59-0x00000000748B0000-0x0000000074F9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-19 12:58
Reported
2023-11-19 13:00
Platform
win10v2004-20231023-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Yammi_Loader.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4436 set thread context of 1404 | N/A | C:\Yammi_Loader.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
"C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"
C:\Yammi_Loader.exe
"C:\Yammi_Loader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQmJXtxcMW.bat" "
C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232161cm.nyashtyan.top | udp |
| US | 188.114.96.0:80 | 232161cm.nyashtyan.top | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 188.114.96.0:80 | 232161cm.nyashtyan.top | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Yammi_Loader.exe
| MD5 | c91f1703dc916f794558bf40b5eab38a |
| SHA1 | c020666495cb42db82515abae7cf35ca419636e9 |
| SHA256 | 7bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6 |
| SHA512 | e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699 |
C:\Yammi_Loader.exe
| MD5 | c91f1703dc916f794558bf40b5eab38a |
| SHA1 | c020666495cb42db82515abae7cf35ca419636e9 |
| SHA256 | 7bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6 |
| SHA512 | e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699 |
C:\Yammi_Loader.exe
| MD5 | c91f1703dc916f794558bf40b5eab38a |
| SHA1 | c020666495cb42db82515abae7cf35ca419636e9 |
| SHA256 | 7bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6 |
| SHA512 | e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699 |
memory/1404-11-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/1404-12-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/1404-13-0x0000000005280000-0x0000000005290000-memory.dmp
memory/1404-14-0x0000000005DB0000-0x0000000006354000-memory.dmp
memory/1404-15-0x0000000005950000-0x000000000596C000-memory.dmp
memory/1404-16-0x0000000005B30000-0x0000000005B80000-memory.dmp
memory/1404-17-0x0000000005980000-0x0000000005996000-memory.dmp
memory/1404-18-0x0000000005B00000-0x0000000005B0E000-memory.dmp
memory/1404-19-0x0000000005BF0000-0x0000000005C56000-memory.dmp
memory/1404-20-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/1404-21-0x0000000005280000-0x0000000005290000-memory.dmp
memory/1404-22-0x0000000006860000-0x00000000068F2000-memory.dmp
memory/1404-55-0x0000000074FD0000-0x0000000075780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CQmJXtxcMW.bat
| MD5 | 526df9a4c49c13cec115cd7fa6ebc1b1 |
| SHA1 | 035f0ef8d044066770fc028431a6e27ad17acd08 |
| SHA256 | 4a081a9b6ccbd4349954c2145a08cf7ff0ff07c267c3250e1c024150fc77258c |
| SHA512 | eb8c626af8559d083a223892c7b7d283a18f433737021bfbcc71e93944e9b736bd716540acdc6f84f98c950df59512e71857734560f8c76b14d7b80daba87790 |