Malware Analysis Report

2024-11-13 13:46

Sample ID 240716-2g6evatbnl
Target DCRatBuild.exe
SHA256 066802e184c05d76cc3657b71f4e8572f694d59bb2a7baa8fed3a6605476a709
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

066802e184c05d76cc3657b71f4e8572f694d59bb2a7baa8fed3a6605476a709

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:34

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:34

Reported

2024-07-16 22:36

Platform

win10v2004-20240709-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\dllDhcp\chainblockhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\dllDhcp\chainblockhost.exe N/A
N/A N/A C:\Users\Default\Cookies\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\es-ES\csrss.exe C:\dllDhcp\chainblockhost.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\886983d96e3d3e C:\dllDhcp\chainblockhost.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe C:\dllDhcp\chainblockhost.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\ea9f0e6c9e2dcd C:\dllDhcp\chainblockhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PrintDialog\pris\unsecapp.exe C:\dllDhcp\chainblockhost.exe N/A
File opened for modification C:\Windows\PrintDialog\pris\unsecapp.exe C:\dllDhcp\chainblockhost.exe N/A
File created C:\Windows\PrintDialog\pris\29c1c3cc0f7685 C:\dllDhcp\chainblockhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\dllDhcp\chainblockhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Default\Cookies\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\dllDhcp\chainblockhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\dllDhcp\OJCWB0R.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\dllDhcp\L7EPwMogY.bat" "

C:\dllDhcp\chainblockhost.exe

"C:\dllDhcp\chainblockhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\pris\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RyEOv3RD96.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\dllhost.exe

"C:\Users\Default\Cookies\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 makbagir.beget.tech udp
RU 5.101.153.57:80 makbagir.beget.tech tcp
RU 5.101.153.57:80 makbagir.beget.tech tcp
US 8.8.8.8:53 57.153.101.5.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\dllDhcp\OJCWB0R.vbe

MD5 a0e0d2de250b26d29469010e1fabb24c
SHA1 c4c97777a9ee20e5bc9474e30f5b886588fae262
SHA256 e5a0781bc13be642252b811ace31e5c6c843dd53e5c18c8f2d36fdb00e36d55c
SHA512 54775b96140357ad7892571051e1415ac3793915ac5e2c4bf25d1dd36ad6707af50ac73d27dbc086b400de320b556d771a3b65bed32094c224394dbde1b7b3ef

C:\dllDhcp\L7EPwMogY.bat

MD5 342aa8d31ebbd9cd7138d5b76e077e0c
SHA1 4717d1c8fe768b1bd8af60099f290f68bce904c1
SHA256 ecc4afd63c9149e78c18eefe4fef6b157f5aed8041ba8c7bf1e08be0cd443f0d
SHA512 3d3ada3221594875106309e4f0679d902b3dbed7dae70da5bb48d7a310b19d0a3d590b7fefad6ab4da9bfbca0b17922aac670026d1e3b87aff3bccb618e6f770

C:\dllDhcp\chainblockhost.exe

MD5 a36cfffc11e9c9d311ed2d7b77d41b54
SHA1 acdb06c05f53a0d255204c39f5cd798f28b912bb
SHA256 7b4bdb74d53d18952294ada597261217d380dc0931c9dae040df9e401e62bea3
SHA512 7a82ba48731e08f0151820681ec4cbd8f9fc2ee221588add6ba045d47e08324855e3cf519312810748e1797a885b50f8653e69fe3fdb847fa5b5ee9bf78696e9

memory/640-12-0x00007FF895AF3000-0x00007FF895AF5000-memory.dmp

memory/640-13-0x0000000000250000-0x0000000000326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RyEOv3RD96.bat

MD5 76805f836d0ddf546c2abe3341ee1da2
SHA1 c6cb878b71a7535828041076903f90f381344dca
SHA256 1d7d7554d480e0a08ac6ecf701b3ec19a3750e72045c20c020388d0be5cc90f9
SHA512 6a63362ef92cec78f4260ac9886f93b0839b68498591d33789e2628fe1786b0d8db844768d06b3e5e010e9734fe98d84294a3f438016286771cceada77d666c9