dcrat | 556e1b95814a2ff15e3f1962a682b2bdf4f72d8c11bf695af6de878d0b676a61

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UX-V2.0.exe
Size

2.0MB
MD5

f31b33519b8577316db68baa8203b60c
SHA1

8273e7ebdf5b3d25ff15e8d7e56f8b066da0af4b
SHA256

556e1b95814a2ff15e3f1962a682b2bdf4f72d8c11bf695af6de878d0b676a61
SHA512

831f8a5a1a707b3e50b814f43d87c228ad818e0cc7683800a65e0ff0052a6c98492a3f3b2669d5a9495c7687e0a96793ae33b2f24b76e4c671590c982fb987dd
SSDEEP

49152:ubA3j7CUI8pGiQagogtpnJCL1pGKd+N1ewYw:ubQ7I88ALaJCL1HdI1Yw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000023b91-10.dat	dcrat
behavioral1/memory/3132-13-0x0000000000B40000-0x0000000000D04000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	UX-V2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3132	ServerBrokerDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UX-V2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	UX-V2.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	ServerBrokerDhcp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2792	1624	UX-V2.0.exe	84
PID 1624 wrote to memory of 2792	1624	UX-V2.0.exe	84
PID 1624 wrote to memory of 2792	1624	UX-V2.0.exe	84
PID 2792 wrote to memory of 4508	2792	WScript.exe	89
PID 2792 wrote to memory of 4508	2792	WScript.exe	89
PID 2792 wrote to memory of 4508	2792	WScript.exe	89
PID 4508 wrote to memory of 3132	4508	cmd.exe	91
PID 4508 wrote to memory of 3132	4508	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\UX-V2.0.exe
"C:\Users\Admin\AppData\Local\Temp\UX-V2.0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portcomPerfSvc\2mZ8bGp.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portcomPerfSvc\jxAUNCo.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\portcomPerfSvc\ServerBrokerDhcp.exe
      "C:\portcomPerfSvc\ServerBrokerDhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\portcomPerfSvc\2mZ8bGp.vbe

Filesize
198B

MD5
fcb144615fd7cf203d141dcc8b199f88

SHA1
d526262498d1b20012cae08eba88c3591d0d53e0

SHA256
c306d351ee916a81159e1f0ee0cca44dd99699109b03fd367f5197284a3c2fa0

SHA512
38b74641fce7abc592fef90e9b8ade1f41c9c6b18a4ced7b48c471d09964ffb3e8bab7569c08e21bcc8f5145369832277b0b53651cf3531ecc79514a929e3552

Download Submit
C:\portcomPerfSvc\ServerBrokerDhcp.exe

Filesize
1.7MB

MD5
734121f31947a54234850fa273769344

SHA1
78154d8391e52b26daec14f5c9eea34584da0ca4

SHA256
346cf8dca071f08cc82cf9d4ee15137f9900e70a8cf3025e99e470e2bf4016e4

SHA512
8a1a49db9bf50eee1176983d5d586a2fa282c6b8502d54bd864af3fcb4d46a140acbab79bba48d30c45c7d4a212b6cd1c3b429277cb89a1455bca6ee29e09b67

Download Submit
C:\portcomPerfSvc\jxAUNCo.bat

Filesize
40B

MD5
67c48c903e3c4cacf749edde6fb48104

SHA1
dd6da02b70e34456edc0c1d6ce84da4fa5ec0d7d

SHA256
5e6725a674937ddc7c592f6c21c0be8e711a6fea44901904a53e85bbe4de296d

SHA512
85be00f7bd833170824169d88d6547e9943c526b7ff5650bd8fc7a90b8a58099b4b68014636717e3e148fb3fc61a1477c4ea4bc48826920f09f8c3ac091cb8b9

Download Submit
memory/3132-12-0x00007FFCD8EB3000-0x00007FFCD8EB5000-memory.dmp

Filesize
8KB

Download
memory/3132-13-0x0000000000B40000-0x0000000000D04000-memory.dmp

Filesize
1.8MB

Download
memory/3132-14-0x00000000014C0000-0x00000000014CE000-memory.dmp

Filesize
56KB

Download