dcrat | d62f7aa61599d5366964c419c7c2afd364e61753d1d7ba6888ae51bb65555cbd

General

Target

Genshin Impact.exe
Size

1.6MB
MD5

b4bb269011c062cb169969258ab0e1b9
SHA1

6f17b1266eabfad46eee405f8245c604468a52c5
SHA256

bd1d4e5e6380d4e4c398b3bd1f3bfc20ffa576c004773b1f637fd272b771c125
SHA512

e89088f16658ac3d5d69808080b47638a4f5d699ac3569cc88b07e3a8f4666e89e570cfb4512c161e8ccf9b5537e7ea281fc440b06b7484af33b94f55ecacd43
SSDEEP

24576:u2G/nvxW3WieC9LFgyTXNVqSwYFBQS3qojUYBo1wKrYUwBIlRicmIvvN9Zl:ubA3jNFguXDx3qoj9BqwenWIlIIvXX

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b95-10.dat	dcrat
behavioral2/memory/4316-13-0x0000000000230000-0x000000000037C000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Genshin Impact.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4316	PortwebSaves.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Genshin Impact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	Genshin Impact.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4316	PortwebSaves.exe
4316	PortwebSaves.exe
4316	PortwebSaves.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	PortwebSaves.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2180	628	Genshin Impact.exe	84
PID 628 wrote to memory of 2180	628	Genshin Impact.exe	84
PID 628 wrote to memory of 2180	628	Genshin Impact.exe	84
PID 2180 wrote to memory of 2972	2180	WScript.exe	96
PID 2180 wrote to memory of 2972	2180	WScript.exe	96
PID 2180 wrote to memory of 2972	2180	WScript.exe	96
PID 2972 wrote to memory of 4316	2972	cmd.exe	98
PID 2972 wrote to memory of 4316	2972	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe
"C:\Users\Admin\AppData\Local\Temp\Genshin Impact.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winsessionnet\qmazbV2JlRldI.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\winsessionnet\kudjk2JZBqNfIbV0H.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\winsessionnet\PortwebSaves.exe
      "C:\winsessionnet\PortwebSaves.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\winsessionnet\PortwebSaves.exe

Filesize
1.3MB

MD5
ad823965fda5d6901ab6a2bc0e153cee

SHA1
7ebaec14300ef03501785e9bc1637963ebbc49b0

SHA256
2c9a19274f314a4f2f728c51dc117196f7c176c6952275e3ba58184a2d6a95d9

SHA512
1c8897f5abbed300029c229b52c5fefd4ec1731cf71b1463f2a81ee085ea0190d766684b2c3057eb0fa6ddedfe97aae9c6c940bb8cdd90c226c02b406c42f9b9

Download Submit
C:\winsessionnet\kudjk2JZBqNfIbV0H.bat

Filesize
35B

MD5
b57373910e83f55b01da9606c160d606

SHA1
bdd2323421bf54c1ab2a40d2f21710c5ddf6b86e

SHA256
eed136c4973c9c837ba407c3c8dc5d70b9ad30c213628ab93c29649731207065

SHA512
32cd79677e54f51efa739b8b8d33e9834ccb7db05e0d3d56c21383968391007f54f05b92750c9dfc6b98bad362e3dca403f98b20a46e95a51ebdf3da70da1cbc

Download Submit
C:\winsessionnet\qmazbV2JlRldI.vbe

Filesize
207B

MD5
c976abe88c50259f846e4a7f9219c0e4

SHA1
0b8221670e970136114bfa60e95226cdfeda740e

SHA256
c912de4503819861b8f5053c4da777a73279aba052f9d4710cdb9facd62304d7

SHA512
e0fe8084c80f37e57b86fc3110f72acaec2e81dedf6a90488960891c2bd8d30728ec7ad763b7e8be299e56becfdbce93c08004efbe9eab92f9808f6109675715

Download Submit
memory/4316-12-0x00007FF8BAB53000-0x00007FF8BAB55000-memory.dmp

Filesize
8KB

Download
memory/4316-13-0x0000000000230000-0x000000000037C000-memory.dmp

Filesize
1.3MB

Download
memory/4316-14-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing