Malware Analysis Report

2024-11-13 13:44

Sample ID 240716-bv46ts1frc
Target 45eac1c5ac04d5ba311c04776b5bebc0N.exe
SHA256 674890622d7bb92cedd72f8761121f9b8eccfe4a45f2967babb7d06538342d88
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

674890622d7bb92cedd72f8761121f9b8eccfe4a45f2967babb7d06538342d88

Threat Level: Known bad

The file 45eac1c5ac04d5ba311c04776b5bebc0N.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

DCRat payload

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 01:28

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 01:28

Reported

2024-07-16 01:30

Platform

win7-20240705-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe C:\Windows\SysWOW64\WScript.exe
PID 3044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe C:\Windows\SysWOW64\WScript.exe
PID 3044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe C:\Windows\SysWOW64\WScript.exe
PID 3044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe
PID 2108 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe
PID 2108 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe
PID 2108 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe

"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat" "

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

"C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe

MD5 0e20d4e8786aa76909466fc802d1ec9b
SHA1 fd4e43eb82dd2228b1c220ccf21a2d6b735d67b6
SHA256 af286e412106b4fed822ea0cbb52e7dcdf06238329e5625dce175588998fc0fb
SHA512 ee73e7c1cc08c32704901e9db362d81464976f37c63a6a3e72f620a7d6bd745e21a229aa04766e1b595b4406bb7da9ce0e5867472f380c3c75c612b119b914ce

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat

MD5 841307750510e536ecc5f7bcc2dc04c5
SHA1 23f78f1f5e21f8a9222245587ff1a0e7f49c1905
SHA256 3b76b5aa6ef4298fcaea871bb9b88ed5f5ecd0cda2ada2b3090a80093f1cbec3
SHA512 7fed4e9330a13730941c396ebdda4190c92cda5709c4c525f9528490ba1d76a5fa34898effa7b160ecb8d954a168e2a31ced2f534510621eea4b65386968af6b

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

MD5 f8385279d93481e8ede6ec2312460ce4
SHA1 2c0b4e141fe7495653b427426dc246876fa27af9
SHA256 1bdd11bfd1776b34adb78baebcd5a894fbe1f2bd1c8e0dbd2123eaf443ea7bdc
SHA512 bc3ce19a5ee1a906427f15e7de22495c76a25dca04e17fc48db7629d2be51b5fb16c024c064bcf58d2a924b0df4d6a9b0d28846c06b9239acfea83fc6eb11705

memory/920-13-0x00000000013D0000-0x0000000001520000-memory.dmp

memory/920-14-0x0000000000240000-0x000000000024E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 01:28

Reported

2024-07-16 01:30

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe

"C:\Users\Admin\AppData\Local\Temp\45eac1c5ac04d5ba311c04776b5bebc0N.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat" "

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

"C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\MhPwnfHbKz5.vbe

MD5 0e20d4e8786aa76909466fc802d1ec9b
SHA1 fd4e43eb82dd2228b1c220ccf21a2d6b735d67b6
SHA256 af286e412106b4fed822ea0cbb52e7dcdf06238329e5625dce175588998fc0fb
SHA512 ee73e7c1cc08c32704901e9db362d81464976f37c63a6a3e72f620a7d6bd745e21a229aa04766e1b595b4406bb7da9ce0e5867472f380c3c75c612b119b914ce

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\XtSXWV19jrk1A2PG.bat

MD5 841307750510e536ecc5f7bcc2dc04c5
SHA1 23f78f1f5e21f8a9222245587ff1a0e7f49c1905
SHA256 3b76b5aa6ef4298fcaea871bb9b88ed5f5ecd0cda2ada2b3090a80093f1cbec3
SHA512 7fed4e9330a13730941c396ebdda4190c92cda5709c4c525f9528490ba1d76a5fa34898effa7b160ecb8d954a168e2a31ced2f534510621eea4b65386968af6b

C:\Users\Admin\AppData\Local\Temp\browserrefCrtsvc\ChainSaves.exe

MD5 f8385279d93481e8ede6ec2312460ce4
SHA1 2c0b4e141fe7495653b427426dc246876fa27af9
SHA256 1bdd11bfd1776b34adb78baebcd5a894fbe1f2bd1c8e0dbd2123eaf443ea7bdc
SHA512 bc3ce19a5ee1a906427f15e7de22495c76a25dca04e17fc48db7629d2be51b5fb16c024c064bcf58d2a924b0df4d6a9b0d28846c06b9239acfea83fc6eb11705

memory/740-12-0x00007FFB2CBD3000-0x00007FFB2CBD5000-memory.dmp

memory/740-13-0x0000000000380000-0x00000000004D0000-memory.dmp

memory/740-14-0x00000000026F0000-0x00000000026FE000-memory.dmp