Overview

overview

10

Static

static

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...la.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.pdf

windows10-ltsc_2021-x64

3

rihuata-ma...gh.exe

windows10-ltsc_2021-x64

10

rihuata-ma...er.exe

windows10-ltsc_2021-x64

7

rihuata-ma...er.exe

windows10-ltsc_2021-x64

8

rihuata-ma...er.exe

windows10-ltsc_2021-x64

7

rihuata-ma...ee.exe

windows10-ltsc_2021-x64

8

rihuata-ma...pa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

rihuata-ma...ii.exe

windows10-ltsc_2021-x64

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

7

rihuata-ma...lu.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ad.exe

windows10-ltsc_2021-x64

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...rs.exe

windows10-ltsc_2021-x64

8

rihuata-ma...wa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ad.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ad.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ix.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...wd.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ee.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...wa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ka.exe

windows10-ltsc_2021-x64

7

rihuata-ma...da.exe

windows10-ltsc_2021-x64

10

rihuata-ma...de.exe

windows10-ltsc_2021-x64

10

rihuata-ma...aa.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    159s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    05/04/2025, 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rihuata-main/zuyokhrfhhfde.exe

  • Size

    2.3MB

  • MD5

    9df7d705ddf9926d2981f7efc5050f9b

  • SHA1

    0df97ba0725ad9019a882ff3dd4a4a92089282b1

  • SHA256

    8350e523807323dc6b9d60a5ebe411dab4826a4e7584a1fad4583ce71dfac504

  • SHA512

    873aa17897827b956021cb4266c33fc44fec658e1c6722f70207a5f91ff5225b0a5f54fceedbced41931dd05f22e189a0bc452a0fdc1aa846259cc435b5f8f07

  • SSDEEP

    24576:j4khR33V3uCw7sULd3yUJVdzxlkj/7WUx2VzUN+XpOPwze6t:0khn3I0KcWBAEb

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\rihuata-main\zuyokhrfhhfde.exe
    "C:\Users\Admin\AppData\Local\Temp\rihuata-main\zuyokhrfhhfde.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1WWZqGlb0S.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2116
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5516
        • C:\Users\Admin\AppData\Local\staticfile.exe
          "C:\Users\Admin\AppData\Local\staticfile.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "staticfile" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "staticfiles" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\staticfile.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1WWZqGlb0S.bat
      Filesize

      171B

      MD5

      ee3c3c79f551217c91b663e6af534b22

      SHA1

      fc1b397d76fee192575deca762d7ae9dc991a6fb

      SHA256

      afc598b03447ce0e4a3dc6f2725325ef29ec86195d017d2d0af410659de8d2e2

      SHA512

      bf454299f086818e30b5c7bb8a11e54080d62d4ecdb3e734a96a430b93a34b12fc913eda4f98e4b1d632518abf4d0bf564b36898efb95f97592382b8147ea15f

      Download Submit

    • C:\Users\Admin\AppData\Local\staticfile.exe
      Filesize

      2.3MB

      MD5

      9df7d705ddf9926d2981f7efc5050f9b

      SHA1

      0df97ba0725ad9019a882ff3dd4a4a92089282b1

      SHA256

      8350e523807323dc6b9d60a5ebe411dab4826a4e7584a1fad4583ce71dfac504

      SHA512

      873aa17897827b956021cb4266c33fc44fec658e1c6722f70207a5f91ff5225b0a5f54fceedbced41931dd05f22e189a0bc452a0fdc1aa846259cc435b5f8f07

      Download Submit

    • memory/3988-24-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-28-0x000000001B690000-0x000000001B6A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3988-5-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-7-0x0000000000F90000-0x0000000000F9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3988-9-0x0000000002880000-0x000000000289C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3988-11-0x0000000000FB0000-0x0000000000FCC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3988-10-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-12-0x000000001B5E0000-0x000000001B630000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3988-14-0x0000000002880000-0x0000000002890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-19-0x0000000002890000-0x00000000028A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-17-0x0000000002970000-0x0000000002988000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3988-15-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-21-0x00000000028A0000-0x00000000028B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-23-0x0000000002950000-0x000000000295E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3988-0-0x00007FFA44333000-0x00007FFA44335000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3988-26-0x000000001B670000-0x000000001B682000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3988-4-0x00000000028B0000-0x00000000028D6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3988-31-0x000000001B6B0000-0x000000001B6C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3988-29-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-32-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-33-0x000000001BC00000-0x000000001C128000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3988-36-0x0000000002990000-0x000000000299E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3988-38-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-34-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-40-0x000000001B630000-0x000000001B640000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-42-0x000000001B730000-0x000000001B78A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3988-44-0x000000001B640000-0x000000001B650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3988-46-0x000000001B650000-0x000000001B65E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3988-48-0x000000001B6F0000-0x000000001B708000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3988-50-0x000000001B7E0000-0x000000001B82E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3988-2-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-60-0x00007FFA44330000-0x00007FFA44DF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3988-1-0x00000000006A0000-0x00000000008F8000-memory.dmp

      Filesize

      2.3MB

      Download