Malware Analysis Report

2024-10-10 13:07

Sample ID 240618-tcgxpavapr
Target 2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe
SHA256 2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784

Threat Level: Known bad

The file 2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:54

Reported

2024-06-18 15:57

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe N/A
N/A N/A C:\chainContainercommon\portCommon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\chainContainercommon\portCommon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainContainercommon\portCommon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe C:\Users\Admin\AppData\Local\Temp\gamensens.exe
PID 1932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe C:\Users\Admin\AppData\Local\Temp\gamensens.exe
PID 1932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe C:\Users\Admin\AppData\Local\Temp\gamensens.exe
PID 1932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe C:\Users\Admin\AppData\Local\Temp\gamensens.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe C:\Windows\SysWOW64\WScript.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\chainContainercommon\portCommon.exe
PID 2652 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\chainContainercommon\portCommon.exe
PID 2652 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\chainContainercommon\portCommon.exe
PID 2652 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\chainContainercommon\portCommon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe

"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"

C:\Users\Admin\AppData\Local\Temp\gamensens.exe

"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "

C:\chainContainercommon\portCommon.exe

"C:\chainContainercommon\portCommon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0987400.xsph.ru udp
RU 141.8.194.149:80 a0987400.xsph.ru tcp

Files

memory/1932-0-0x000007FEF5FC3000-0x000007FEF5FC4000-memory.dmp

memory/1932-1-0x00000000011A0000-0x0000000001802000-memory.dmp

memory/1932-2-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gamensens.exe

MD5 a17bef36ed672305f87c5d4ce04e01ff
SHA1 0c02658f9da0ac19610e6e2779e3e79c3bf0866b
SHA256 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069
SHA512 a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f

memory/1932-9-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

C:\chainContainercommon\hyAsInvxuhczEnY.vbe

MD5 e9362622997cc2b8393c002170007268
SHA1 af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf
SHA256 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197
SHA512 b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3

C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat

MD5 607be2f3113847991a86a4eb185e0a9c
SHA1 15fb977abc10846ab794fea18f6e928c29b58574
SHA256 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8
SHA512 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4

\chainContainercommon\portCommon.exe

MD5 7fdd5e97b846125276affa53ff280c55
SHA1 5e9233ce22752c6ada3c2f6749d9323e03877baf
SHA256 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db
SHA512 cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c

memory/1616-24-0x0000000000090000-0x0000000000166000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:54

Reported

2024-06-18 15:57

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gamensens.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamensens.exe N/A
N/A N/A C:\chainContainercommon\portCommon.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\gamensens.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\chainContainercommon\portCommon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainContainercommon\portCommon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe

"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"

C:\Users\Admin\AppData\Local\Temp\gamensens.exe

"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "

C:\chainContainercommon\portCommon.exe

"C:\chainContainercommon\portCommon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0987400.xsph.ru udp
US 8.8.8.8:53 a0987400.xsph.ru udp

Files

memory/4084-0-0x00007FF9036E3000-0x00007FF9036E5000-memory.dmp

memory/4084-1-0x0000000000C90000-0x00000000012F2000-memory.dmp

memory/4084-2-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gamensens.exe

MD5 a17bef36ed672305f87c5d4ce04e01ff
SHA1 0c02658f9da0ac19610e6e2779e3e79c3bf0866b
SHA256 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069
SHA512 a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f

memory/4084-12-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

C:\chainContainercommon\hyAsInvxuhczEnY.vbe

MD5 e9362622997cc2b8393c002170007268
SHA1 af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf
SHA256 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197
SHA512 b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3

C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat

MD5 607be2f3113847991a86a4eb185e0a9c
SHA1 15fb977abc10846ab794fea18f6e928c29b58574
SHA256 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8
SHA512 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4

C:\chainContainercommon\portCommon.exe

MD5 7fdd5e97b846125276affa53ff280c55
SHA1 5e9233ce22752c6ada3c2f6749d9323e03877baf
SHA256 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db
SHA512 cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c

memory/664-26-0x0000000000140000-0x0000000000216000-memory.dmp