Malware Analysis Report

2024-10-10 12:59

Sample ID 240603-lyf9aabh92
Target MidNight.exe
SHA256 8625bac45cf93d62d4c08984e823d0ec34fed5a51bde0c63436a61020f3122e2
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8625bac45cf93d62d4c08984e823d0ec34fed5a51bde0c63436a61020f3122e2

Threat Level: Known bad

The file MidNight.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Dcrat family

DCRat payload

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:56

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:56

Reported

2024-06-03 09:58

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MidNight.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MidNight.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\msWebcrt\hypernetSvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\MidNight.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\msWebcrt\hypernetSvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MidNight.exe

"C:\Users\Admin\AppData\Local\Temp\MidNight.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msWebcrt\qeI37R9jqNEWER2rJ1OW.bat" "

C:\msWebcrt\hypernetSvc.exe

"C:\msWebcrt\hypernetSvc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbe

MD5 1d14631e794f6e62ec6e6376674b4ab8
SHA1 dc15ec0efb44f158894b7b8d775ba40975ce09b9
SHA256 0d37c11570801b9a3e4d30968f495cd8bf8179484652e3d9a533a8363c84caf4
SHA512 ace5a99b404c69a2ed14b4474bbf5ab63d3734509f15b163d96184d869856bbda79ff087c1b3afa3ba0f8b4408952243bd9765a923cfa878fb924071dbefe2c1

C:\msWebcrt\qeI37R9jqNEWER2rJ1OW.bat

MD5 6b91012ca4c1019318ee326326c46fb2
SHA1 14a6198184d9c83bab59549c946944c277c48a58
SHA256 e382160e56560cbb5e5ff4804a647c8a636e934d084f1dc59247777d441b1f9d
SHA512 d50ea25f4d2a45de14e0ac4e65cc93238cbccd8474017735feb27084bb2d5304353ea29c425ec1e7797b5974cf54c3903bf08a4a59f008e400cdbec3849a9d5a

C:\msWebcrt\hypernetSvc.exe

MD5 0706a0530b74621568a8b30336ae4fd2
SHA1 3d029f79743dddc1716fc23da0d942cb9f0cfc84
SHA256 209fc27eeefcc1d05894fabc7f4fd3d585ff14686f768730beb927ac748121ef
SHA512 a9d77e1ebd9567e7d59ef1d1ddda1e38228e087197bcde46de0c11b857d7841c140fee7bca8be868d2105b9e0268cb4845df72001ce97b319c90a0e3b46a9c94

memory/5116-12-0x00007FFA05633000-0x00007FFA05635000-memory.dmp

memory/5116-13-0x0000000000230000-0x000000000038E000-memory.dmp

memory/5116-14-0x0000000002460000-0x000000000246E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:56

Reported

2024-06-03 09:58

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MidNight.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\msWebcrt\hypernetSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\msWebcrt\hypernetSvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MidNight.exe

"C:\Users\Admin\AppData\Local\Temp\MidNight.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\msWebcrt\qeI37R9jqNEWER2rJ1OW.bat" "

C:\msWebcrt\hypernetSvc.exe

"C:\msWebcrt\hypernetSvc.exe"

Network

N/A

Files

C:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbe

MD5 1d14631e794f6e62ec6e6376674b4ab8
SHA1 dc15ec0efb44f158894b7b8d775ba40975ce09b9
SHA256 0d37c11570801b9a3e4d30968f495cd8bf8179484652e3d9a533a8363c84caf4
SHA512 ace5a99b404c69a2ed14b4474bbf5ab63d3734509f15b163d96184d869856bbda79ff087c1b3afa3ba0f8b4408952243bd9765a923cfa878fb924071dbefe2c1

C:\msWebcrt\qeI37R9jqNEWER2rJ1OW.bat

MD5 6b91012ca4c1019318ee326326c46fb2
SHA1 14a6198184d9c83bab59549c946944c277c48a58
SHA256 e382160e56560cbb5e5ff4804a647c8a636e934d084f1dc59247777d441b1f9d
SHA512 d50ea25f4d2a45de14e0ac4e65cc93238cbccd8474017735feb27084bb2d5304353ea29c425ec1e7797b5974cf54c3903bf08a4a59f008e400cdbec3849a9d5a

C:\msWebcrt\hypernetSvc.exe

MD5 0706a0530b74621568a8b30336ae4fd2
SHA1 3d029f79743dddc1716fc23da0d942cb9f0cfc84
SHA256 209fc27eeefcc1d05894fabc7f4fd3d585ff14686f768730beb927ac748121ef
SHA512 a9d77e1ebd9567e7d59ef1d1ddda1e38228e087197bcde46de0c11b857d7841c140fee7bca8be868d2105b9e0268cb4845df72001ce97b319c90a0e3b46a9c94

memory/2652-13-0x0000000000D90000-0x0000000000EEE000-memory.dmp

memory/2652-14-0x00000000002C0000-0x00000000002CE000-memory.dmp