Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
DCRat by C3lestial.fun.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DCRat by C3lestial.fun.rar
Resource
win10v2004-20240226-en
General
-
Target
DCRat by C3lestial.fun.rar
-
Size
33.5MB
-
MD5
3112a622ece7c44b53c87e949af1ddd5
-
SHA1
a770bef606f2ca9927a9500c20bdbf77cc0fc820
-
SHA256
94e6c2037598e41f66f734e1e1e0934c1a167f5a9825d221dcc7c8dbdaaca6ff
-
SHA512
6b5ded758418832c45c5c5273ddea5cc1a92c466a50289f9920b2d781f0de55199582ab4667e35155a592cd786f1498bf8c8199bf59212c13ae4ae6cee646139
-
SSDEEP
786432:7gF2TX5HO7SWzCzw2HjIDuaMivz67rEhebp02lUrSRPTz+:G2TX5O79Wz9w2IzfAb0rSRP2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3168 7zFM.exe Token: 35 3168 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3168 7zFM.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 452 wrote to memory of 3168 452 cmd.exe 92 PID 452 wrote to memory of 3168 452 cmd.exe 92
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DCRat by C3lestial.fun.rar"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DCRat by C3lestial.fun.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:4940