Malware Analysis Report

2024-10-10 13:02

Sample ID 240619-tjh4bsxgnk
Target w.exe
SHA256 570388e1641bc609dff93db408507db3af7811d26c196165633d8119bd4f242e
Tags
rat dcrat evasion infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

570388e1641bc609dff93db408507db3af7811d26c196165633d8119bd4f242e

Threat Level: Known bad

The file w.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer

Dcrat family

DCRat payload

DcRat

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 16:05

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 16:05

Reported

2024-06-19 16:07

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\w.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\w.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\BridgeproviderPerf\ReviewbrokerDhcp.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\w.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BridgeproviderPerf\ReviewbrokerDhcp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\w.exe

"C:\Users\Admin\AppData\Local\Temp\w.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BridgeproviderPerf\QHNB7cVbdlZ2EQnUCEqJX.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BridgeproviderPerf\eKklWVD4eB3sslhbTZXV0qcFz983q.bat" "

C:\BridgeproviderPerf\ReviewbrokerDhcp.exe

"C:\BridgeproviderPerf\ReviewbrokerDhcp.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

C:\BridgeproviderPerf\QHNB7cVbdlZ2EQnUCEqJX.vbe

MD5 e1e82881b80a3e66478ec991fd037dd4
SHA1 08d53d58cf05cf5ee78e8b36ac7897d708b91362
SHA256 dc8c6dde789add76be82e38b62669abec23872abc594aa408a74079d4d999254
SHA512 5fe279e3548f7ff33d23b39475797e05623fc4bd1f11e57977f90c8026c1701e3eb23875cc567a88aefd481a40e17f499c0c4272cc4bbdb174344253782a232b

C:\BridgeproviderPerf\eKklWVD4eB3sslhbTZXV0qcFz983q.bat

MD5 01b75cd00cd6e08dc13d6d3b92dd250b
SHA1 95fb99ad4086bf290a41a814ce6dde9cf475b566
SHA256 2d66aeeb99eb936be0702c9c75c0c34361da3a2512d7c2e1664401294a8fae3d
SHA512 5a88c42d91d2c07f315f3c724ebf95dc780a8caa04d5fe98c87e4d754dfd1954dca8026a2a50672fb3b94de635cdf9d1f77bce29e8d2345c5a60cbfdcf984af0

C:\BridgeproviderPerf\ReviewbrokerDhcp.exe

MD5 c2c3c2872c92ffcdf63afce17b873596
SHA1 a7cac03aeff28ddabb4206e7db15d0f190c1d364
SHA256 5b91e782a73c258a9de9a0d288c4b3e4011ebc93de5122edda640a275057417d
SHA512 1beee5886d43bd25de85407e82fdd83262500338122b5942de90476cb34f1231f7a952822f9ae672226b580946cc1acd9f26cc9d22e013acaa7698e5a0bfda41

memory/1892-12-0x00007FFDE5E23000-0x00007FFDE5E25000-memory.dmp

memory/1892-13-0x0000000000730000-0x00000000009DE000-memory.dmp

memory/1892-14-0x0000000002A50000-0x0000000002A5E000-memory.dmp