Overview

overview

10

Static

static

10

Genshin Impact.exe

windows7-x64

10

Genshin Impact.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Genshin Impact.exe

  • Size

    1.6MB

  • MD5

    b4bb269011c062cb169969258ab0e1b9

  • SHA1

    6f17b1266eabfad46eee405f8245c604468a52c5

  • SHA256

    bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125

  • SHA512

    e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43

  • SSDEEP

    24576:u2G/nvxW3WieC9LFgyTXNVqSwYFBQS3qojUYBo1wKrYUwBIlRicmIvvN9Zl:ubA3jNFguXDx3qoj9BqwenWIlIIvXX

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe
    "C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\winsessionnet\PortwebSaves.exe
          "C:\winsessionnet\PortwebSaves.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\winsessionnet\PortwebSaves.exe
    Filesize

    1.3MB

    MD5

    ad823965fda5d6901ab6a2bc0e153cee

    SHA1

    7ebaec14300ef03501785e9bc1637963ebbc49b0

    SHA256

    2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

    SHA512

    1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

    Download Submit

  • C:\winsessionnet\kudjk2JZBqNfIbV0H.bat
    Filesize

    35B

    MD5

    b57373910e83f55b01da9606c160d606

    SHA1

    bdd2323421bf54c1ab2a40d2f21710c5ddf6b86e

    SHA256

    eed136c4973c9c837ba407c3c8dc5d70b9ad30c213628ab93c29649731207065

    SHA512

    32cd79677e54f51efa739b8b8d33e9834ccb7db05e0d3d56c21383968391007f54f05b92750c9dfc6b98bad362e3dca403f98b20a46e95a51ebdf3da70da1cbc

    Download Submit

  • C:\winsessionnet\qmazbV2JlRldI.vbe
    Filesize

    207B

    MD5

    c976abe88c50259f846e4a7f9219c0e4

    SHA1

    0b8221670e970136114bfa60e95226cdfeda740e

    SHA256

    c912de4503819861b8f5053c4da777a73279aba052f9d4710cdb9facd62304d7

    SHA512

    e0fe8084c80f37e57b86fc3110f72acaec2e81dedf6a90488960891c2bd8d30728ec7ad763b7e8be299e56becfdbce93c08004efbe9eab92f9808f6109675715

    Download Submit

  • memory/2720-13-0x0000000000020000-0x000000000016C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2720-14-0x0000000000410000-0x000000000041C000-memory.dmp

    Filesize

    48KB

    Download