dcrat | a3640a10bd29bfb75eb0ee385cb7233ae19c34e0eebae32da2ae168529c2d9fc

Analysis

max time kernel
134s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ioqjwd.exe
Size

1.8MB
MD5

67d57fb4c4b81fe4c7acab9aeae02956
SHA1

da16779ad85db8289b6ec67f6c5a5e9aa1dd418a
SHA256

a3640a10bd29bfb75eb0ee385cb7233ae19c34e0eebae32da2ae168529c2d9fc
SHA512

b0bb6569e918de32963d58e87ca8f4effdefa72645a4cb64fe621866dfb4ccbc95a89155c1c304f52557530f419bb20daa1e6d1195670e15d538a69865006678
SSDEEP

49152:ubA3j3+MhlRGll+heg+Hx9IWZTw40/SyD:ubwR5eZ9Igw40qw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4260-13-0x0000000000D30000-0x0000000000EBA000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b5f-11.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ioqjwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4260	MsHyperPort.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ioqjwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	ioqjwd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	MsHyperPort.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4700	4912	ioqjwd.exe	86
PID 4912 wrote to memory of 4700	4912	ioqjwd.exe	86
PID 4912 wrote to memory of 4700	4912	ioqjwd.exe	86
PID 4700 wrote to memory of 644	4700	WScript.exe	93
PID 4700 wrote to memory of 644	4700	WScript.exe	93
PID 4700 wrote to memory of 644	4700	WScript.exe	93
PID 644 wrote to memory of 4260	644	cmd.exe	95
PID 644 wrote to memory of 4260	644	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\ioqjwd.exe
"C:\Users\Admin\AppData\Local\Temp\ioqjwd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentComponentFontNet\P9abK9svJKxMlccRQgtUz9QFmwEp.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentComponentFontNet\vVXjGKobGoN.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\agentComponentFontNet\MsHyperPort.exe
      "C:\agentComponentFontNet\MsHyperPort.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\agentComponentFontNet\MsHyperPort.exe

Filesize
1.5MB

MD5
1e2a1dca947c48a39d7c8fb0ca11d243

SHA1
77f89d59f01e476eb4243a2fb2b947dc1d7e3343

SHA256
a45ca5a10e19033bf290c94e7ef718d72b1ee1769b196aa0019625e55f95c68d

SHA512
52fcbc03a3d1bb5cb92d050cace14f3a7dfe0a741e5af0b1c1a63706e90e3962ba6082a57d5e2e94f14433c693cf0a157c4f7f5425dd02fb028c11c210e1d55b

Download Submit
C:\agentComponentFontNet\P9abK9svJKxMlccRQgtUz9QFmwEp.vbe

Filesize
209B

MD5
4b8b3a8fd20e592022cea9ef533a9fe0

SHA1
140428922aa364ee3c9c2afbad20ba80ed988c82

SHA256
084873620a127341a58d0e90fe42ccf353708b1e4d08d01c7b89a2883edb049b

SHA512
8b71bdafb5be808b33458b152c35ff53add3d95c2e40446d262404f15954a9a209da8e1729b46998926268cc0e46e4c76a49f9c995402cde4f6e00c9db255ee2

Download Submit
C:\agentComponentFontNet\vVXjGKobGoN.bat

Filesize
42B

MD5
5a9179103d9e89ebfa2bdd7b5fb715d2

SHA1
77403d72b6fddab80628ff70553ad635cf9c8b57

SHA256
8664578b5e83e09c41088d98c245c02669153f29e0356352b10a00a3b4e14249

SHA512
92a2b944c949493cc5f2c5d5eecc8e1151ff19c34f74441ef2bf309bbe529b03319492913372c0564747e08f6e97a9907a7dba3e83f19c3f7cff7574467962c0

Download Submit
memory/4260-12-0x00007FF8E16D3000-0x00007FF8E16D5000-memory.dmp

Filesize
8KB

Download
memory/4260-13-0x0000000000D30000-0x0000000000EBA000-memory.dmp

Filesize
1.5MB

Download
memory/4260-14-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download