dcrat | 32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0

Analysis

max time kernel
91s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Modrinth.exe
Size

6.8MB
MD5

21cad48edbc93da2d1e1ab6f6632461a
SHA1

667a584eae5a57937d66d64249c26c8b1b2abf8f
SHA256

32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0
SHA512

9125263a9b31336d350e19f9c79460038f7a6c48db109001e93fd8d7e8aba30c3bf44a362c4f3ee87294d3cf9052cbc8d7da518d34356212cb6f914a9990a21d
SSDEEP

196608:UQKQUc/HMlS2JxmYcmcg7XGqb6Msq51GPo:XKwslSDVoXGe1GQ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/3880-5-0x0000000000400000-0x0000000000AD7000-memory.dmp dcrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Modrinth.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation Modrinth.exe
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

8 556 msiexec.exe

resource	yara_rule
behavioral2/memory/3880-5-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	Modrinth.exe

flow	pid	process
8	556	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Modrinth.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings Modrinth.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	Modrinth.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	556	msiexec.exe
Token: SeSecurityPrivilege	3324	msiexec.exe
Token: SeCreateTokenPrivilege	556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	556	msiexec.exe
Token: SeLockMemoryPrivilege	556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	556	msiexec.exe
Token: SeMachineAccountPrivilege	556	msiexec.exe
Token: SeTcbPrivilege	556	msiexec.exe
Token: SeSecurityPrivilege	556	msiexec.exe
Token: SeTakeOwnershipPrivilege	556	msiexec.exe
Token: SeLoadDriverPrivilege	556	msiexec.exe
Token: SeSystemProfilePrivilege	556	msiexec.exe
Token: SeSystemtimePrivilege	556	msiexec.exe
Token: SeProfSingleProcessPrivilege	556	msiexec.exe
Token: SeIncBasePriorityPrivilege	556	msiexec.exe
Token: SeCreatePagefilePrivilege	556	msiexec.exe
Token: SeCreatePermanentPrivilege	556	msiexec.exe
Token: SeBackupPrivilege	556	msiexec.exe
Token: SeRestorePrivilege	556	msiexec.exe
Token: SeShutdownPrivilege	556	msiexec.exe
Token: SeDebugPrivilege	556	msiexec.exe
Token: SeAuditPrivilege	556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	556	msiexec.exe
Token: SeChangeNotifyPrivilege	556	msiexec.exe
Token: SeRemoteShutdownPrivilege	556	msiexec.exe
Token: SeUndockPrivilege	556	msiexec.exe
Token: SeSyncAgentPrivilege	556	msiexec.exe
Token: SeEnableDelegationPrivilege	556	msiexec.exe
Token: SeManageVolumePrivilege	556	msiexec.exe
Token: SeImpersonatePrivilege	556	msiexec.exe
Token: SeCreateGlobalPrivilege	556	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

556 msiexec.exe

pid	process
556	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Modrinth.exe

description	pid	process	target process
PID 3880 wrote to memory of 556	3880	Modrinth.exe	msiexec.exe
PID 3880 wrote to memory of 556	3880	Modrinth.exe	msiexec.exe
PID 3880 wrote to memory of 556	3880	Modrinth.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
"C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
memory/3880-5-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download