Analysis Overview
SHA256
2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784
Threat Level: Known bad
The file 2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 15:54
Reported
2024-06-18 15:57
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe
"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "
C:\chainContainercommon\portCommon.exe
"C:\chainContainercommon\portCommon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
| RU | 141.8.194.149:80 | a0987400.xsph.ru | tcp |
Files
memory/1932-0-0x000007FEF5FC3000-0x000007FEF5FC4000-memory.dmp
memory/1932-1-0x00000000011A0000-0x0000000001802000-memory.dmp
memory/1932-2-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
| MD5 | a17bef36ed672305f87c5d4ce04e01ff |
| SHA1 | 0c02658f9da0ac19610e6e2779e3e79c3bf0866b |
| SHA256 | 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069 |
| SHA512 | a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f |
memory/1932-9-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp
C:\chainContainercommon\hyAsInvxuhczEnY.vbe
| MD5 | e9362622997cc2b8393c002170007268 |
| SHA1 | af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf |
| SHA256 | 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197 |
| SHA512 | b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3 |
C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat
| MD5 | 607be2f3113847991a86a4eb185e0a9c |
| SHA1 | 15fb977abc10846ab794fea18f6e928c29b58574 |
| SHA256 | 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8 |
| SHA512 | 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4 |
\chainContainercommon\portCommon.exe
| MD5 | 7fdd5e97b846125276affa53ff280c55 |
| SHA1 | 5e9233ce22752c6ada3c2f6749d9323e03877baf |
| SHA256 | 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db |
| SHA512 | cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c |
memory/1616-24-0x0000000000090000-0x0000000000166000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 15:54
Reported
2024-06-18 15:57
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
DcRat
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\gamensens.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\chainContainercommon\portCommon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe
"C:\Users\Admin\AppData\Local\Temp\2a9911b83ab4ec159ae9a832daf85d90ce87f67630ebac6edcf3d027f333e784.exe"
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
"C:\Users\Admin\AppData\Local\Temp\gamensens.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainercommon\hyAsInvxuhczEnY.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat" "
C:\chainContainercommon\portCommon.exe
"C:\chainContainercommon\portCommon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
| US | 8.8.8.8:53 | a0987400.xsph.ru | udp |
Files
memory/4084-0-0x00007FF9036E3000-0x00007FF9036E5000-memory.dmp
memory/4084-1-0x0000000000C90000-0x00000000012F2000-memory.dmp
memory/4084-2-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gamensens.exe
| MD5 | a17bef36ed672305f87c5d4ce04e01ff |
| SHA1 | 0c02658f9da0ac19610e6e2779e3e79c3bf0866b |
| SHA256 | 6f0d043a76c2703e65275846d206470861c500a9175a75725ca57e1c37a30069 |
| SHA512 | a8d1533faac58e86ff470bd0c51bbb48174244608343399d6173ac6ae89e7bfbc060791b549ed3a072b1080a74c5a04c149781c379bacffc7c1a2174cfc6e62f |
memory/4084-12-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp
C:\chainContainercommon\hyAsInvxuhczEnY.vbe
| MD5 | e9362622997cc2b8393c002170007268 |
| SHA1 | af1ab7de2f514a68b3f5c9b4d6e7365ae81389cf |
| SHA256 | 39137e0327e39148e90c60f9d1a53ed28a9968b63f6e475fa4d0d8ef196f3197 |
| SHA512 | b92d853982111fdbaebdc01af7292d5a843eac0c4499f62991c9739d2b19da3cc74ffc0bebccbe4bc414d927bf028d8fffe785eefcc467029c408abc2a3170a3 |
C:\chainContainercommon\Q0ssMcT3ezpnIpNbD4.bat
| MD5 | 607be2f3113847991a86a4eb185e0a9c |
| SHA1 | 15fb977abc10846ab794fea18f6e928c29b58574 |
| SHA256 | 4143d93fefe8e68ad77d7d465d3b4894590c55dd37fd2c2ccb96018543799ae8 |
| SHA512 | 2848857fc7e48eca77e38c6d5ac32b430f1496a843d857e5f29b3eb5f4af834ef0834046c71f540aba10915d4e5f8103155092db09848f665902c3ce267d54c4 |
C:\chainContainercommon\portCommon.exe
| MD5 | 7fdd5e97b846125276affa53ff280c55 |
| SHA1 | 5e9233ce22752c6ada3c2f6749d9323e03877baf |
| SHA256 | 04c030043cd5da98ac97fe3201c53fe5089e6db33de88e7e49dab2c2b74085db |
| SHA512 | cd4b587f418b7a8fccdab90c59ab2bd1bf76d34ba7eb5158a703dbfcea53f04c12782c87664683a82341f61049d50b6f6756b2520b1c0982e602a4a8b49a264c |
memory/664-26-0x0000000000140000-0x0000000000216000-memory.dmp