Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10DcRat.zip
windows10-2004-x64
10BackupCertificate.zip
windows10-2004-x64
1ServerCertificate.p12
windows10-2004-x64
7DcRat.exe
windows10-2004-x64
10DcRat.exe.xml
windows10-2004-x64
1Plugins/Audio.dll
windows10-2004-x64
1Plugins/Chat.dll
windows10-2004-x64
1Plugins/Extra.dll
windows10-2004-x64
1Plugins/Fi...er.dll
windows10-2004-x64
1Plugins/Fi...er.dll
windows10-2004-x64
1Plugins/Fun.dll
windows10-2004-x64
1Plugins/In...on.dll
windows10-2004-x64
1Plugins/Keylogger.exe
windows10-2004-x64
1Plugins/Logger.dll
windows10-2004-x64
1Plugins/Mi...us.dll
windows10-2004-x64
1Plugins/Netstat.dll
windows10-2004-x64
1Plugins/Options.dll
windows10-2004-x64
1Plugins/Pr...er.dll
windows10-2004-x64
1Plugins/Ra...re.dll
windows10-2004-x64
1Plugins/Recovery.dll
windows10-2004-x64
1Plugins/Regedit.dll
windows10-2004-x64
1Plugins/Re...ra.dll
windows10-2004-x64
1Plugins/Re...op.dll
windows10-2004-x64
1Plugins/SendFile.dll
windows10-2004-x64
1Plugins/Se...ry.dll
windows10-2004-x64
1ServerCertificate.p12
windows10-2004-x64
7Stub/Client.exe
windows10-2004-x64
10project2.dll
windows10-2004-x64
3Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2024, 20:13
Behavioral task
behavioral1
Sample
DcRat.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
BackupCertificate.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ServerCertificate.p12
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
DcRat.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
DcRat.exe.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
Plugins/Audio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Plugins/Chat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
Plugins/Extra.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Plugins/FileManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
Plugins/FileSearcher.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Plugins/Fun.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
Plugins/Information.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Plugins/Keylogger.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
Plugins/Logger.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Plugins/Miscellaneous.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
Plugins/Netstat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Plugins/Options.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
Plugins/ProcessManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Plugins/Ransomware.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
Plugins/Recovery.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Plugins/Regedit.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
Plugins/RemoteCamera.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Plugins/RemoteDesktop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
Plugins/SendFile.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Plugins/SendMemory.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
ServerCertificate.p12
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Stub/Client.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
project2.dll
Resource
win10v2004-20241007-en
General
-
Target
DcRat.zip
-
Size
6.3MB
-
MD5
6b5246ddc575e3f7ca0242ba81910425
-
SHA1
5ad6cf004ed9137bb83ebdb8ae2ec20470446d1c
-
SHA256
64127c3e92e08691e9b2ba7f7bc3513b98328ce514d645ae85565cb9563961bc
-
SHA512
45790518c7c0e8af10fe95ce64d5f825b2f055164fd696fb28c5dede450f5aa42cc4df77d425aca274367e7b6ba244d361df2b7d50e3b1846361639c1cd90995
-
SSDEEP
98304:ylcQo9b/QZjeMrTgWilAwhySLYTfU8MGcgK80jWvzQvtHKvUOO89NSuRM:yv3Zj3TQlAdIYTfU8MGcHQUVKse9PRM
Malware Config
Extracted
asyncrat
1.0.7
Default
31.220.90.137:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Desktop Window Manager.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cdc-21.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DcRat.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DesktopWindowManager.exe -
Executes dropped EXE 4 IoCs
pid Process 4636 DcRat.exe 1708 DcRat.exe 116 DesktopWindowManager.exe 4528 Desktop Window Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DcRat.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2028 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings DcRat.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 116 DesktopWindowManager.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 1708 DcRat.exe 2680 7zFM.exe 2680 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2680 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 2680 7zFM.exe Token: 35 2680 7zFM.exe Token: SeSecurityPrivilege 2680 7zFM.exe Token: SeDebugPrivilege 116 DesktopWindowManager.exe Token: SeDebugPrivilege 4528 Desktop Window Manager.exe Token: SeDebugPrivilege 1708 DcRat.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2680 7zFM.exe 2680 7zFM.exe 2680 7zFM.exe 1708 DcRat.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1708 DcRat.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2680 wrote to memory of 4636 2680 7zFM.exe 99 PID 2680 wrote to memory of 4636 2680 7zFM.exe 99 PID 2680 wrote to memory of 4636 2680 7zFM.exe 99 PID 4636 wrote to memory of 4476 4636 DcRat.exe 102 PID 4636 wrote to memory of 4476 4636 DcRat.exe 102 PID 4636 wrote to memory of 4476 4636 DcRat.exe 102 PID 4476 wrote to memory of 1708 4476 WScript.exe 103 PID 4476 wrote to memory of 1708 4476 WScript.exe 103 PID 4476 wrote to memory of 116 4476 WScript.exe 104 PID 4476 wrote to memory of 116 4476 WScript.exe 104 PID 116 wrote to memory of 2408 116 DesktopWindowManager.exe 107 PID 116 wrote to memory of 2408 116 DesktopWindowManager.exe 107 PID 116 wrote to memory of 3416 116 DesktopWindowManager.exe 109 PID 116 wrote to memory of 3416 116 DesktopWindowManager.exe 109 PID 3416 wrote to memory of 2028 3416 cmd.exe 111 PID 3416 wrote to memory of 2028 3416 cmd.exe 111 PID 2408 wrote to memory of 3672 2408 cmd.exe 112 PID 2408 wrote to memory of 3672 2408 cmd.exe 112 PID 3416 wrote to memory of 4528 3416 cmd.exe 113 PID 3416 wrote to memory of 4528 3416 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DcRat.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\7zO87AE09E7\DcRat.exe"C:\Users\Admin\AppData\Local\Temp\7zO87AE09E7\DcRat.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcRat.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcRat.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DesktopWindowManager.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DesktopWindowManager.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Desktop Window Manager" /tr '"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Desktop Window Manager" /tr '"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC80.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD59a2706b014494988041a7cd721dc2e77
SHA15ca23535cb0abe9b1e5ca5466cf49323d62f1b78
SHA2569fa9476e19afbc0b9a022a568fe765b793f4966e7e0e0910a2fd07a21a8d848d
SHA5120c884f57267e478b131fe07b87ed41d6727fd678bd74c7e8b75de61f13f0365c185649453772cb7fefee96ddccb2d51b4d1a52edf551ea34faec1aa06ebbfdab
-
Filesize
12.3MB
MD57fce411ea2b74f227489659113960b18
SHA1543d95b74193a188fe273ce7b065aa177405beb5
SHA256c73b1ffa39c5843b2ed951ac48350d1deb33db4057341f1dab1ee64ea1a62248
SHA51242de7bc4a0b47e1053ff3ff52a3f887e56759f81cfa691996a533d769e80f98b3e8dcf869785fce801d9cc7a2bc3d675e2eb832b520846b053d6b07093be2678
-
Filesize
48KB
MD5a175ae25d7f7ed25d6707e87f42e017c
SHA1532786d28fd7e39ea6de8a454ef58c13b9dcb00d
SHA256b2b45e365957b4a7c9fbad9d269652e5f96f709dc7a0828fbc757d9339b44e82
SHA512b5a7ef58afe4cca624e3b13327a3f10a2b44b47f757cbd521e34c5857ba02e502fc8c1732c2f0b9652f636ea34ad168d44a139dd1e7ac480db75848aefa0aae0
-
Filesize
288B
MD5b1ddcdfe8cb8410ee62eac12e0825689
SHA10a755b1f8fd422aea80574161ca21d5506aa213d
SHA256dac31763f9fd7e0c565d5aecbb6a142bb5e1c6a607b6c4d36f4932050765c0ef
SHA512bca697ba83e99504f33b6df858f3ed395ccb7124df2b3212ae1237907be46ab7f773e53bab585d967a825e4c5baa07149559218cbc384378a8c70365e53c9910
-
Filesize
169B
MD5b1ca5709bd7d4219a9c7540dec950686
SHA1d23297a52f7dfb5f81f1ee4bc8af01c081b5c4c0
SHA2566699a7e3b428f7422430a88d8c55a118996e6131cd328afc8fe6817479f00610
SHA512ed1b49f21e6bd3b084f60325fece5302d9257903747b6bfaa2aec972d0dd3c37db3930a9228e1732ef1ff35e5eb5592587ddbabbf79998e20bb006ed8bcbaa65