Malware Analysis Report

2024-11-13 13:41

Sample ID 241106-1vba7axqdx
Target 59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN
SHA256 59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72eb
Tags
dcrat luminosity discovery execution infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72eb

Threat Level: Known bad

The file 59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN was found to be: Known bad.

Malicious Activity Summary

dcrat luminosity discovery execution infostealer persistence rat

DcRat

Dcrat family

Luminosity family

Luminosity

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 21:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 21:57

Reported

2024-11-06 21:59

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Dcrat family

dcrat

Luminosity

rat luminosity
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Luminosity family

luminosity

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a" C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe C:\Windows\SYSTEM32\cmd.exe
PID 3576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe C:\Windows\SYSTEM32\cmd.exe
PID 3576 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe C:\Windows\SYSTEM32\cmd.exe
PID 3576 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe C:\Windows\SYSTEM32\cmd.exe
PID 4504 wrote to memory of 3860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4504 wrote to memory of 3860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3860 wrote to memory of 3532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
PID 3860 wrote to memory of 3532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
PID 3860 wrote to memory of 3532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
PID 3532 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe C:\Windows\SysWOW64\schtasks.exe
PID 3532 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe C:\Windows\SysWOW64\schtasks.exe
PID 3532 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe

"C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c echo.

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c exec.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"

C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe

"C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp
US 8.8.8.8:53 heroscrypt.no-ip.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

MD5 368e0f2c003376d3bdae1c71dd85ec70
SHA1 e5fa7b58cad7f5df6e3a7c2abeec16365ae17827
SHA256 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9
SHA512 e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

memory/3860-7-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

memory/3860-8-0x000002089D530000-0x000002089D552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uaqc5ffx.d04.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3860-18-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/3860-19-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

MD5 c22f01d9e3f9f075b6efda752f805b3b
SHA1 fd89725060a0ffc6b5af2123ecaa49c31636e6d1
SHA256 f08acf718371e1412b70ec7480a4444d09152e979edb1c79510df49694015be9
SHA512 07b9709f5b5099050aaa0019d340abd112c0cc6ff8207468925e06e024ceaa783ef1f631e9ea661a39e62392e3840e7dcc317361886a53ad1b7d65cea4e646ca

C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe

MD5 981a6297ee4c59b81dcf9b482c7cc475
SHA1 9c822ad8e6b94702d1a7df13346dafab7d2a331f
SHA256 51551aa5a6310cf993733df09696c8d05e532d5d9e79a243d469ef855a4eeae4
SHA512 8d3615d544f4342d21d51b089107a7c7480da88cefe1019ae152c18807b54d6af7161772886df31309361f47b63596586ae9976dbe7420fc6c1eedc90fffbd4a

memory/3532-29-0x0000000074A32000-0x0000000074A33000-memory.dmp

memory/3532-30-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/3860-31-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/3532-32-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/3532-35-0x0000000074A32000-0x0000000074A33000-memory.dmp

memory/3532-36-0x0000000074A30000-0x0000000074FE1000-memory.dmp