dcrat | fff08a4d2f28a06068b3a440cf4c5ee8f30950af3345c80efcb05839be155f26

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 09:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

primodal_steam_module.exe
Size

3.1MB
MD5

4217d37a5cb59c1d14d636985cfec7ec
SHA1

132bd7f56db7c4849364df15ba8e2e6cc2b16205
SHA256

fff08a4d2f28a06068b3a440cf4c5ee8f30950af3345c80efcb05839be155f26
SHA512

126719d7ae54dcdbc2c47a16dc2797132c6f06c8959bf72254d27be3b3281dd0a61c71ceeb11930419389aee0dc017678045877212b54075299a51efe89b5d44
SSDEEP

98304:VbIQ07ABDx/k0cPAlrxvXeZpTcz4L+UbX5dS53:V50MBDx/r4ADvQOz4npd4

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00070000000233e3-10.dat	dcrat
behavioral2/memory/1900-13-0x0000000000AF0000-0x0000000000DD4000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	primodal_steam_module.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	discord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	primodal_steam_module.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2236	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	discord.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1716	4916	primodal_steam_module.exe	83
PID 4916 wrote to memory of 1716	4916	primodal_steam_module.exe	83
PID 4916 wrote to memory of 1716	4916	primodal_steam_module.exe	83
PID 1716 wrote to memory of 1212	1716	WScript.exe	86
PID 1716 wrote to memory of 1212	1716	WScript.exe	86
PID 1716 wrote to memory of 1212	1716	WScript.exe	86
PID 1212 wrote to memory of 1900	1212	cmd.exe	88
PID 1212 wrote to memory of 1900	1212	cmd.exe	88
PID 1212 wrote to memory of 2236	1212	cmd.exe	90
PID 1212 wrote to memory of 2236	1212	cmd.exe	90
PID 1212 wrote to memory of 2236	1212	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\primodal_steam_module.exe
"C:\Users\Admin\AppData\Local\Temp\primodal_steam_module.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\s1YcuafMgFZcfjAcIZkCnl2ldkoG.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\discord\6hjim1XI6LHKwsRzcTW0H.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Users\Admin\AppData\Roaming\discord\discord.exe
      "C:\Users\Admin\AppData\Roaming\\discord\discord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\discord\6hjim1XI6LHKwsRzcTW0H.bat

Filesize
144B

MD5
1c21369bf1354782eb9c430fc1351179

SHA1
06d6a05de2c90239fd34e5eef61748cf0817f109

SHA256
ef5c3a480c4fbb67d912fa95920a71bc8b556ec7d270aabe9985dfa379369ab5

SHA512
9e75859de45774157a9be88e7914a87d234dff6e4794fb25d4d8bb04f55f17d289213547ec7cf48170a3e3f9a7cb965969136b9885bbac9ce92e867edec75e18

Download Submit
C:\Users\Admin\AppData\Roaming\discord\discord.exe

Filesize
2.9MB

MD5
f6a2be982232660a4ef7923c9ea2a0f4

SHA1
49fd2c8a022c15d0286551fc81b2395e29079c7e

SHA256
db44adcc5a6919a3e2c56230a0b755ea6eb25cd9cfb4c7aceda76a9c3fad5fc2

SHA512
97e4dddd23a33ffb5678bc361ff00a8418cc3a6ce7ff86c1f76e29ecb4149f3fb1cb112fde77ab067a9fcda3ef46cfa2b9b6c2fbfc0d68371db34adf39b47284

Download Submit
C:\Users\Admin\AppData\Roaming\discord\s1YcuafMgFZcfjAcIZkCnl2ldkoG.vbe

Filesize
213B

MD5
882088368dcd0aeacfbd6ecb5c6a4bf5

SHA1
ceff64387f97e543cccf1d1967256c5709771006

SHA256
95a165aaa06147d9e24952f1f497ebcfee7edc8fec0c8dc86cc4da4a63d23b0b

SHA512
8e05bd8f2d14b6c7fd5f923ede83b723ff26f93dc9d21fa6d21e4a3e097f4472abbfe7554911a0ffa48a950ec421f5ac5077a9b9b044c73e5ab5ad442f6ef830

Download Submit
memory/1900-12-0x00007FFF77513000-0x00007FFF77515000-memory.dmp

Filesize
8KB

Download
memory/1900-13-0x0000000000AF0000-0x0000000000DD4000-memory.dmp

Filesize
2.9MB

Download
memory/1900-14-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download