08f63fd17af25b18502fcc51e71387b1039175fd7cab9a9d7c8d3443e6e6171d

Analysis

max time kernel
4s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

2.6MB
MD5

d9b53e3ff2150e28db7ffa2bb5d1bed7
SHA1

69e84ad32072140746f71536f6421289c5cacd1a
SHA256

08f63fd17af25b18502fcc51e71387b1039175fd7cab9a9d7c8d3443e6e6171d
SHA512

b990409d8c7e71c33090f1e685d9cd24b3c1d4e2184028e677b6b724b629c205a49c8dab60340606f67678d29bfba636bd85fbfae909b11e52ef4076589143ca
SSDEEP

49152:ubA3jt787JGee3ubYi+SLo1YwNHkdLEdU9GSn3A+dRBCEn5fh5p:ubc87ooLrLo5FkMU9C+dDn5hT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DCRatBuild.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DCRatBuild.exeWScript.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

DCRatBuild.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DCRatBuild.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DCRatBuild.exe

description	pid	Process	procid_target
PID 1828 wrote to memory of 464	1828	DCRatBuild.exe	83
PID 1828 wrote to memory of 464	1828	DCRatBuild.exe	83
PID 1828 wrote to memory of 464	1828	DCRatBuild.exe	83
PID 1828 wrote to memory of 2184	1828	DCRatBuild.exe	84
PID 1828 wrote to memory of 2184	1828	DCRatBuild.exe	84
PID 1828 wrote to memory of 2184	1828	DCRatBuild.exe	84

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserdriverintoPerfdhcp\GFi34BGYG.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserdriverintoPerfdhcp\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BrowserdriverintoPerfdhcp\GFi34BGYG.vbe

Filesize
220B

MD5
3fe5eee54a2d3fea63f0387377f85248

SHA1
dc1b0266e3d8ad096946f7403cdd87ad4222d310

SHA256
7590a9660bdcd7c6ab21a92efc4ff74acc8bcba7035d88db4762d87d534169ea

SHA512
652eb254bddf544dc73110b76f2bc2d256fc0ecb82083a84b18006943ea71a06c8a3fde6a54439262efbcc17253c4169f9b3ab2724ba27694ed4f3038beb3f63

Download Submit
C:\BrowserdriverintoPerfdhcp\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit