Analysis Overview
SHA256
2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784
Threat Level: Known bad
The file 3ca68b395e2d0e4f88d7b99475c51c02.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 08:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 08:46
Reported
2024-06-17 08:48
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ca68b395e2d0e4f88d7b99475c51c02.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ca68b395e2d0e4f88d7b99475c51c02.exe
"C:\Users\Admin\AppData\Local\Temp\3ca68b395e2d0e4f88d7b99475c51c02.exe"
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "
C:\chainContainercommon\portCommon.exe
"C:\chainContainercommon\portCommon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
Files
memory/5064-0-0x00007FFB52013000-0x00007FFB52015000-memory.dmp
memory/5064-1-0x0000000000B70000-0x00000000011D2000-memory.dmp
memory/5064-2-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
| MD5 | a17bef36ed672305f87c5d4ce04e01ff |
| SHA1 | 0c02658f9da0ac19610e6e2779e3e79c3bf0866b |
| SHA256 | 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069 |
| SHA512 | a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f |
memory/5064-12-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
C:\chainContainercommon\hyAsInvxuhczEnY.vbe
| MD5 | e9362622997cc2b8393c002170007268 |
| SHA1 | af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf |
| SHA256 | 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197 |
| SHA512 | b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3 |
C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat
| MD5 | 607be2f3113847991a86a4eb185e0a9c |
| SHA1 | 15fb977abc10846ab794fea18f6e928c29b58574 |
| SHA256 | 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8 |
| SHA512 | 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4 |
C:\chainContainercommon\portCommon.exe
| MD5 | 7fdd5e97b846125276affa53ff280c55 |
| SHA1 | 5e9233ce22752c6ada3c2f6749d9323e03877baf |
| SHA256 | 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db |
| SHA512 | cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c |
memory/1076-26-0x0000000000360000-0x0000000000436000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 08:46
Reported
2024-06-17 08:48
Platform
win7-20240220-en
Max time kernel
129s
Max time network
147s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ca68b395e2d0e4f88d7b99475c51c02.exe
"C:\Users\Admin\AppData\Local\Temp\3ca68b395e2d0e4f88d7b99475c51c02.exe"
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "
C:\chainContainercommon\portCommon.exe
"C:\chainContainercommon\portCommon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
| RU | 141.8.194.149:80 | a0987400.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0987400.xsph.ru | tcp |
| RU | 141.8.194.149:80 | a0987400.xsph.ru | tcp |
Files
memory/2084-0-0x000007FEF55C3000-0x000007FEF55C4000-memory.dmp
memory/2084-1-0x0000000000190000-0x00000000007F2000-memory.dmp
memory/2084-2-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
| MD5 | a17bef36ed672305f87c5d4ce04e01ff |
| SHA1 | 0c02658f9da0ac19610e6e2779e3e79c3bf0866b |
| SHA256 | 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069 |
| SHA512 | a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f |
memory/2084-10-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp
C:\chainContainercommon\hyAsInvxuhczEnY.vbe
| MD5 | e9362622997cc2b8393c002170007268 |
| SHA1 | af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf |
| SHA256 | 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197 |
| SHA512 | b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3 |
C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat
| MD5 | 607be2f3113847991a86a4eb185e0a9c |
| SHA1 | 15fb977abc10846ab794fea18f6e928c29b58574 |
| SHA256 | 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8 |
| SHA512 | 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4 |
\chainContainercommon\portCommon.exe
| MD5 | 7fdd5e97b846125276affa53ff280c55 |
| SHA1 | 5e9233ce22752c6ada3c2f6749d9323e03877baf |
| SHA256 | 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db |
| SHA512 | cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c |
memory/2676-24-0x00000000003A0000-0x0000000000476000-memory.dmp