Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10DcRat.zip
windows10-2004-x64
10BackupCertificate.zip
windows10-2004-x64
1ServerCertificate.p12
windows10-2004-x64
7DcRat.exe
windows10-2004-x64
10DcRat.exe.xml
windows10-2004-x64
1Plugins/Audio.dll
windows10-2004-x64
1Plugins/Chat.dll
windows10-2004-x64
1Plugins/Extra.dll
windows10-2004-x64
1Plugins/Fi...er.dll
windows10-2004-x64
1Plugins/Fi...er.dll
windows10-2004-x64
1Plugins/Fun.dll
windows10-2004-x64
1Plugins/In...on.dll
windows10-2004-x64
1Plugins/Keylogger.exe
windows10-2004-x64
1Plugins/Logger.dll
windows10-2004-x64
1Plugins/Mi...us.dll
windows10-2004-x64
1Plugins/Netstat.dll
windows10-2004-x64
1Plugins/Options.dll
windows10-2004-x64
1Plugins/Pr...er.dll
windows10-2004-x64
1Plugins/Ra...re.dll
windows10-2004-x64
1Plugins/Recovery.dll
windows10-2004-x64
1Plugins/Regedit.dll
windows10-2004-x64
1Plugins/Re...ra.dll
windows10-2004-x64
1Plugins/Re...op.dll
windows10-2004-x64
1Plugins/SendFile.dll
windows10-2004-x64
1Plugins/Se...ry.dll
windows10-2004-x64
1ServerCertificate.p12
windows10-2004-x64
7Stub/Client.exe
windows10-2004-x64
10project2.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2024, 20:13
Behavioral task
behavioral1
Sample
DcRat.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
BackupCertificate.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ServerCertificate.p12
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
DcRat.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
DcRat.exe.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
Plugins/Audio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Plugins/Chat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
Plugins/Extra.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Plugins/FileManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
Plugins/FileSearcher.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Plugins/Fun.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
Plugins/Information.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Plugins/Keylogger.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
Plugins/Logger.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Plugins/Miscellaneous.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
Plugins/Netstat.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Plugins/Options.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
Plugins/ProcessManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Plugins/Ransomware.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
Plugins/Recovery.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Plugins/Regedit.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
Plugins/RemoteCamera.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Plugins/RemoteDesktop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
Plugins/SendFile.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Plugins/SendMemory.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
ServerCertificate.p12
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Stub/Client.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
project2.dll
Resource
win10v2004-20241007-en
General
-
Target
DcRat.exe
-
Size
5.0MB
-
MD5
9a2706b014494988041a7cd721dc2e77
-
SHA1
5ca23535cb0abe9b1e5ca5466cf49323d62f1b78
-
SHA256
9fa9476e19afbc0b9a022a568fe765b793f4966e7e0e0910a2fd07a21a8d848d
-
SHA512
0c884f57267e478b131fe07b87ed41d6727fd678bd74c7e8b75de61f13f0365c185649453772cb7fefee96ddccb2d51b4d1a52edf551ea34faec1aa06ebbfdab
-
SSDEEP
98304:ya4YLGi2jelUpj0d7+k1pGlW5j6cZoEMHAh8qreWpOEnGFPHHLbqV:ynYrksv1p7ZZoEMgxtpORFHPA
Malware Config
Extracted
asyncrat
1.0.7
Default
31.220.90.137:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Desktop Window Manager.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral4/files/0x0008000000023c32-13.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DesktopWindowManager.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation DcRat.exe -
Executes dropped EXE 3 IoCs
pid Process 4524 DcRat.exe 2596 DesktopWindowManager.exe 3064 Desktop Window Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DcRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4640 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings DcRat.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 2596 DesktopWindowManager.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe 4524 DcRat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2596 DesktopWindowManager.exe Token: SeDebugPrivilege 4524 DcRat.exe Token: SeDebugPrivilege 3064 Desktop Window Manager.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4524 DcRat.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4524 DcRat.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3992 wrote to memory of 4712 3992 DcRat.exe 83 PID 3992 wrote to memory of 4712 3992 DcRat.exe 83 PID 3992 wrote to memory of 4712 3992 DcRat.exe 83 PID 4712 wrote to memory of 4524 4712 WScript.exe 84 PID 4712 wrote to memory of 4524 4712 WScript.exe 84 PID 4712 wrote to memory of 2596 4712 WScript.exe 85 PID 4712 wrote to memory of 2596 4712 WScript.exe 85 PID 2596 wrote to memory of 4904 2596 DesktopWindowManager.exe 87 PID 2596 wrote to memory of 4904 2596 DesktopWindowManager.exe 87 PID 2596 wrote to memory of 60 2596 DesktopWindowManager.exe 89 PID 2596 wrote to memory of 60 2596 DesktopWindowManager.exe 89 PID 60 wrote to memory of 4640 60 cmd.exe 91 PID 60 wrote to memory of 4640 60 cmd.exe 91 PID 4904 wrote to memory of 1976 4904 cmd.exe 92 PID 4904 wrote to memory of 1976 4904 cmd.exe 92 PID 60 wrote to memory of 3064 60 cmd.exe 94 PID 60 wrote to memory of 3064 60 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DcRat.exe"C:\Users\Admin\AppData\Local\Temp\DcRat.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcRat.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcRat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DesktopWindowManager.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DesktopWindowManager.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Desktop Window Manager" /tr '"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Desktop Window Manager" /tr '"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"C:\Users\Admin\AppData\Local\Temp\Desktop Window Manager.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.3MB
MD57fce411ea2b74f227489659113960b18
SHA1543d95b74193a188fe273ce7b065aa177405beb5
SHA256c73b1ffa39c5843b2ed951ac48350d1deb33db4057341f1dab1ee64ea1a62248
SHA51242de7bc4a0b47e1053ff3ff52a3f887e56759f81cfa691996a533d769e80f98b3e8dcf869785fce801d9cc7a2bc3d675e2eb832b520846b053d6b07093be2678
-
Filesize
48KB
MD5a175ae25d7f7ed25d6707e87f42e017c
SHA1532786d28fd7e39ea6de8a454ef58c13b9dcb00d
SHA256b2b45e365957b4a7c9fbad9d269652e5f96f709dc7a0828fbc757d9339b44e82
SHA512b5a7ef58afe4cca624e3b13327a3f10a2b44b47f757cbd521e34c5857ba02e502fc8c1732c2f0b9652f636ea34ad168d44a139dd1e7ac480db75848aefa0aae0
-
Filesize
288B
MD5b1ddcdfe8cb8410ee62eac12e0825689
SHA10a755b1f8fd422aea80574161ca21d5506aa213d
SHA256dac31763f9fd7e0c565d5aecbb6a142bb5e1c6a607b6c4d36f4932050765c0ef
SHA512bca697ba83e99504f33b6df858f3ed395ccb7124df2b3212ae1237907be46ab7f773e53bab585d967a825e4c5baa07149559218cbc384378a8c70365e53c9910
-
Filesize
169B
MD54ca8a7a776fecc1ee55f6a8ec4f10587
SHA1c06825abb83e319d49c5af1c60abda22e6b814c6
SHA256365cf17f0f3afdd38554571d04402bef21d99c3fe0736aadc0d227f7aeb24b04
SHA512ab5fbd02bcdf3b55032baec8c30284d349c5dfdafc84760e806da7f19f5fb9f6af57dae2ad93cbd1a7f5d10f3f1a8a150af21ad35de584d2dc195a3bfffd8c8f