Overview

overview

10

Static

static

10

Genshin Impact.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    37s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-11-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Genshin Impact.exe

  • Size

    1.6MB

  • MD5

    b4bb269011c062cb169969258ab0e1b9

  • SHA1

    6f17b1266eabfad46eee405f8245c604468a52c5

  • SHA256

    bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125

  • SHA512

    e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43

  • SSDEEP

    24576:u2G/nvxW3WieC9LFgyTXNVqSwYFBQS3qojUYBo1wKrYUwBIlRicmIvvN9Zl:ubA3jNFguXDx3qoj9BqwenWIlIIvXX

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe
    "C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\winsessionnet\PortwebSaves.exe
          "C:\winsessionnet\PortwebSaves.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3320
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
    1⤵
      PID:1436
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      PID:4352
    • C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe
      "C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe"
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\winsessionnet\PortwebSaves.exe
      Filesize

      1.3MB

      MD5

      ad823965fda5d6901ab6a2bc0e153cee

      SHA1

      7ebaec14300ef03501785e9bc1637963ebbc49b0

      SHA256

      2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

      SHA512

      1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

      Download Submit

    • C:\winsessionnet\kudjk2JZBqNfIbV0H.bat
      Filesize

      35B

      MD5

      b57373910e83f55b01da9606c160d606

      SHA1

      bdd2323421bf54c1ab2a40d2f21710c5ddf6b86e

      SHA256

      eed136c4973c9c837ba407c3c8dc5d70b9ad30c213628ab93c29649731207065

      SHA512

      32cd79677e54f51efa739b8b8d33e9834ccb7db05e0d3d56c21383968391007f54f05b92750c9dfc6b98bad362e3dca403f98b20a46e95a51ebdf3da70da1cbc

      Download Submit

    • C:\winsessionnet\qmazbV2JlRldI.vbe
      Filesize

      207B

      MD5

      c976abe88c50259f846e4a7f9219c0e4

      SHA1

      0b8221670e970136114bfa60e95226cdfeda740e

      SHA256

      c912de4503819861b8f5053c4da777a73279aba052f9d4710cdb9facd62304d7

      SHA512

      e0fe8084c80f37e57b86fc3110f72acaec2e81dedf6a90488960891c2bd8d30728ec7ad763b7e8be299e56becfdbce93c08004efbe9eab92f9808f6109675715

      Download Submit

    • memory/2996-29-0x00000000026A0000-0x00000000026AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2996-28-0x0000000000450000-0x000000000059C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3320-21-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-22-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-20-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-19-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-18-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-17-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-23-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-12-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-13-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3320-11-0x000002AC0DD00000-0x000002AC0DD01000-memory.dmp

      Filesize

      4KB

      Download