Overview

overview

10

Static

static

10

Modrinth I...er.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    423s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-07-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Modrinth Installer.exe

  • Size

    6.6MB

  • MD5

    626111e7e767cb32a4f5b48808a7913f

  • SHA1

    8db25557b50430b884ac5ee30053ebb23b9f5bf7

  • SHA256

    9dc9219eb1d893ac2566607a5c013b7da0761418520795d9828cb76495c7dda7

  • SHA512

    1899d4b38db8abe8c836e905308d0cf26c447ef895a91a3fc15428d11ef967dd848b0a05934903bd26c45ebcba4ad423a8f7dcae6c756a3a6d9bdf6ba42ffb52

  • SSDEEP

    196608:sTyZ3n/HMlS2JxmYcmcg7XGqb6Msq51GP6:53/slSDVoXGe1GC

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Modrinth Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Modrinth Installer.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\RATRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\RATRAT.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\SurrogateIntoSvc\hf1hRNn9ajuvUHKHQb8fu.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\SurrogateIntoSvc\rY24mJjmny.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\SurrogateIntoSvc\Comsession.exe
            "C:\SurrogateIntoSvc\Comsession.exe"
            5⤵
            • Executes dropped EXE
            PID:308
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US (1).msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:312
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9F4704A33680517CA539D4F324813A67 C
      2⤵
      • Loads dropped DLL
      PID:4080
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3408
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:3884
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:1416
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1780
      • \??\c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:1900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SurrogateIntoSvc\Comsession.exe
          Filesize

          988KB

          MD5

          50be2cc2dd732378c4809d4b51dfe37c

          SHA1

          3a658d098abb2c7cde929fdc5e913565caf5597c

          SHA256

          48fe16f6153c01bd4e617ec3523b7e2e0fd4fd42c8f0f5c69a8228acb779f4cd

          SHA512

          3ff7d5709519cb823d51237b5882d89da837a10174068ba238f170ffa2ad6808ed56b54c010bab02668ea0a24ac8241acde385aaac26ef918cd1c8bf8f7d7fde

          Download Submit

        • C:\SurrogateIntoSvc\hf1hRNn9ajuvUHKHQb8fu.vbe
          Filesize

          203B

          MD5

          4c7be1ba3e0913140aa109722a4f7f0f

          SHA1

          fdfeee6cf6ec617eccf813bc2c5414bbdfc0778f

          SHA256

          c50a726baf3ce3a5afa47ab873e11fd2f7a23783d7faef5f86d16c691d85179d

          SHA512

          9d5d51f5ecd39af69dba6276f009d6a0641bcb1ca9eff6bb6329317bc82d2fc0511fe7538cc1c6bf4900a2714ce91dd58469f6f8a92c65c8ccc608aa018209ca

          Download Submit

        • C:\SurrogateIntoSvc\rY24mJjmny.bat
          Filesize

          36B

          MD5

          66160c6c4efde242638df78e62dfb0f8

          SHA1

          f492999c6fdceae6c4d7adf6eaca5438beb3ccd2

          SHA256

          e4f15eeb3fa0fccd04b4205d898b881c2e0d3a1c0a600ad7a2c18d95484f98e8

          SHA512

          3720db635a257e95707f43476500410175bfa21d0b5f6f409e6002ffab923b1b2bf06fe3c1017b8ab1882daeb5a6f9ccd9503092cafdf044c78ecdc309db90ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MSIDD6.tmp
          Filesize

          113KB

          MD5

          4fdd16752561cf585fed1506914d73e0

          SHA1

          f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

          SHA256

          aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

          SHA512

          3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US (1).msi
          Filesize

          5.0MB

          MD5

          5003486a784143bc96c3577172bbb44a

          SHA1

          9a960998807126041fae5b4fe9488d7ff3c5ca42

          SHA256

          b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

          SHA512

          3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RATRAT.exe
          Filesize

          1.4MB

          MD5

          4de3e17ff74bf32a59e6f18b46bc9c52

          SHA1

          8bf5eb695619faf3454b4a1d5d428c36a041099f

          SHA256

          47a33af18e603f3e3c09672ef08ddaa62d35c77ad91c38bc2029584b314e71f3

          SHA512

          69b65a34f68e9d8cafa7de97bbc2b93ef4ccd67db73d9632d3686b9cf72ac386982fa1c00cdc51ab32fdce01a843eac088782bc73ecb8952d87c12eabbbf8944

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          26.0MB

          MD5

          7363655a606c414e70ed499013df739f

          SHA1

          be652a4474f7dee1218eeacf9eb619285b655e7c

          SHA256

          67a01309a9a04842ae72efec4d48fce273eaf9143ead1f972de00130c225ea51

          SHA512

          111bef0d58d6f19cd20029b9b2159bf273c9a859760f93a5d4847188ef797c9533f98ea76aa06807437821f3122f822e181cabcea78b3ea42b1131f1823844a2

          Download Submit

        • \??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d39cf78b-3e52-4693-885b-d8fac8ab87a8}_OnDiskSnapshotProp
          Filesize

          5KB

          MD5

          3e1485edaaf4a2e9adb920be78eddc6e

          SHA1

          fee081a0b77b59e4f108bb33b2bec0112da91151

          SHA256

          7c53b2e32cb4de55a0e2d147b02192cb87e968c17ca04031af195857b8351b94

          SHA512

          ffe1eaff554069afb6ef74a2281a7ead9d6a855698e661df70aece37e1e6c1750e2ce84606eeb31900c7a570e431ca20aff93d9adc66478bec91af88a5854667

          Download Submit

        • memory/308-44-0x00000000008A0000-0x000000000099E000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/308-45-0x0000000002A70000-0x0000000002A7E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3364-11-0x0000000000400000-0x0000000000AA2000-memory.dmp

          Filesize

          6.6MB

          Download