Windows Analysis Report
DCwTjs2dTP.exe

Overview

General Information

Sample Name: DCwTjs2dTP.exe
Analysis ID: 679101
MD5: 2ed2a1d6604afeaa681f4c66dcd84194
SHA1: 6134d837220afe9377cd78950c8aca43dde08d8c
SHA256: 2a48fa5118bf1c97de6a6b7b0a45bcc95bd678d54f31e2f2d003e5f3ea49c780
Tags: DCRatexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: DCwTjs2dTP.exe ReversingLabs: Detection: 50%
Source: DCwTjs2dTP.exe Avira: detected
Source: C:\Users\user\AppData\Roaming\sihost.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Roaming\sihost.exe ReversingLabs: Detection: 50%
Source: DCwTjs2dTP.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sihost.exe Joe Sandbox ML: detected
Source: 0.0.DCwTjs2dTP.exe.b10000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "techandro.giize.com,hsolic.duckdns.org", "Ports": "6906,6907", "Version": " 1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "sihost.exe", "AES_key": "w28XgttPSPRfTrqDPtKQKIftMUNaIi1O", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICKzCCAZSgAwIBAgIVANmCJqwMXdgA6yyfZkFj0aZTsu+7MA0GCSqGSIb3DQEBDQUAMF8xEDAOBgNVBAMMB2Rldk5vZGUxEzARBgNVBAsMCnF3cWRhbmNodW4xHDAaBgNVBAoME0RjUmF0IEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMTEwMjAwODIxNThaFw0zMjA3MjkwODIxNThaMBAxDjAMBgNVBAMMBURjUmF0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoRh2gPhcjrCexqYsTMZyZzR9nvXDArts2Pxe7vU8QXZ/2N2LtomHs8oIRK8BSNIq8pybY9t19WGwPVl1go5W14d1Gku1DmuB7h/osKUvia9151iX4HtEJzVUZ21JY54BTSNkrB7mO9MIt+NPmW+T434g9pwjXeLqwPn9vNMjlDwIDAQABozIwMDAdBgNVHQ4EFgQUAiSCu6ZEkdGGrjqlINwtfX5B6ncwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCYJ/7raO8AXKrzJF9npX6m1mUuFIiPNrmznT/3GogAp/JEDW8keA7Mq+IuMV5zjeQ6jrHVToqCFDUPGd3/yMbwmDlQMYjuj+bNl5f5m2pjHKTX1B/QuUUUPLJ/kXiGOb2zml6uK4n5siqJB5Dhza1QKxnOe0RDyLEnlkVondXy6A==", "ServerSignature": "ZbnE26z/kUoafAYsNOaYAdifPsyY0NUimw56hYN83bmpUDLwVLP2BeWbnk3Mb+RyC7+/9H+auM6ptQK6ib0j+DbOdeQNsf+okOIez8zETDI0UKu51c+FUimCHgyZK+I5Z5tXrRFLS4JhVTH6rhdkluo83hNFkwm6R8TV62hDMtE=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0ABC4E4C CryptFindOIDInfo, 0_2_0ABC4E4C
Source: DCwTjs2dTP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 182.186.88.126:6906 -> 192.168.2.3:49740
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Malware configuration extractor URLs: techandro.giize.com
Source: Malware configuration extractor URLs: hsolic.duckdns.org
Source: Joe Sandbox View ASN Name: PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 182.186.88.126:6906
Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: sihost.exe, 0000000A.00000002.521463363.0000000000E80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: sihost.exe, 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabw
Source: DCwTjs2dTP.exe, 00000000.00000002.533258191.0000000003196000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531132514.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknown DNS traffic detected: queries for: techandro.giize.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: sihost.exe, 0000000A.00000002.520705153.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 10.2.sihost.exe.54d0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.3b4cbb0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 10.2.sihost.exe.54d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.543917229.00000000054D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.525348826.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.546757964.000000000A90A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.527734779.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516805151.000000000A8F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.540094195.000000000478F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.526006194.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000002.523503805.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000A.00000003.516841569.000000000A90B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.521245478.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01364138 0_2_01364138
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01361F10 0_2_01361F10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01362D10 0_2_01362D10
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01363230 0_2_01363230
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01367C38 0_2_01367C38
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01362840 0_2_01362840
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0136804F 0_2_0136804F
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01360448 0_2_01360448
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_013622B0 0_2_013622B0
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01365BA8 0_2_01365BA8
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01360390 0_2_01360390
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01365B99 0_2_01365B99
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_013641F9 0_2_013641F9
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_013641D1 0_2_013641D1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366231 0_2_01366231
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366638 0_2_01366638
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01364227 0_2_01364227
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366428 0_2_01366428
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366628 0_2_01366628
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01367C28 0_2_01367C28
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366419 0_2_01366419
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0136420C 0_2_0136420C
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01367464 0_2_01367464
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01365068 0_2_01365068
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01367468 0_2_01367468
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01361268 0_2_01361268
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01361E58 0_2_01361E58
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01365058 0_2_01365058
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01366240 0_2_01366240
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01364040 0_2_01364040
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_013642F3 0_2_013642F3
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_00DF1BDD 10_2_00DF1BDD
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_00DF1F98 10_2_00DF1F98
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_00DF0E88 10_2_00DF0E88
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_00DF0E78 10_2_00DF0E78
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_0293322B 10_2_0293322B
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02937A50 10_2_02937A50
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02932840 10_2_02932840
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02930448 10_2_02930448
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_0293804F 10_2_0293804F
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02931F10 10_2_02931F10
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02932D10 10_2_02932D10
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02934138 10_2_02934138
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_029342F3 10_2_029342F3
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936419 10_2_02936419
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_0293420C 10_2_0293420C
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936231 10_2_02936231
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02931237 10_2_02931237
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02937A3A 10_2_02937A3A
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936638 10_2_02936638
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02934227 10_2_02934227
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936428 10_2_02936428
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936628 10_2_02936628
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02931E58 10_2_02931E58
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02935058 10_2_02935058
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02937442 10_2_02937442
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02936240 10_2_02936240
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02934040 10_2_02934040
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02935068 10_2_02935068
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02937468 10_2_02937468
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02935B99 10_2_02935B99
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02935BA8 10_2_02935BA8
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_029341D1 10_2_029341D1
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_029341F9 10_2_029341F9
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_04B39458 10_2_04B39458
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_04B3DDF0 10_2_04B3DDF0
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_04B38330 10_2_04B38330
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_04B38320 10_2_04B38320
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_04B32BD0 10_2_04B32BD0
Source: DCwTjs2dTP.exe Binary or memory string: OriginalFilename vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540773912.00000000047DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe" vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.541024622.000000000482A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000000.250219025.0000000000B36000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe, 00000000.00000002.540124638.0000000004791000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe Binary or memory string: OriginalFilenamesihost.exe. vs DCwTjs2dTP.exe
Source: DCwTjs2dTP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DCwTjs2dTP.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File read: C:\Users\user\Desktop\DCwTjs2dTP.exe:Zone.Identifier Jump to behavior
Source: DCwTjs2dTP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DCwTjs2dTP.exe "C:\Users\user\Desktop\DCwTjs2dTP.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe"
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe" Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File created: C:\Users\user\AppData\Roaming\sihost.exe Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File created: C:\Users\user\AppData\Local\Temp\tmp53F0.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.winEXE@14/6@1/1
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: DCwTjs2dTP.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3404:120:WilError_01
Source: C:\Users\user\AppData\Roaming\sihost.exe Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat""
Source: C:\Users\user\AppData\Roaming\sihost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DCwTjs2dTP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DCwTjs2dTP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0ABB0EAE push 0000003Eh; retn 0000h 0_2_0ABB1208
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0ABB2FD4 push eax; ret 0_2_0ABB2FDC
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_0ABB13C9 push eax; ret 0_2_0ABB13DD
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_01367240 pushfd ; ret 0_2_01367241
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_02937240 pushfd ; ret 10_2_02937241
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_0523C7F0 push eax; mov dword ptr [esp], edx 10_2_0523C802
Source: C:\Users\user\AppData\Roaming\sihost.exe Code function: 10_2_0523E190 push eax; mov dword ptr [esp], edx 10_2_0523E1A4
Source: DCwTjs2dTP.exe Static PE information: 0xF60FB06B [Tue Oct 26 08:42:19 2100 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.625943654905051
Source: initial sample Static PE information: section name: .text entropy: 7.625943654905051
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File created: C:\Users\user\AppData\Roaming\sihost.exe Jump to dropped file

Boot Survival

barindex
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"'
Source: C:\Users\user\AppData\Roaming\sihost.exe Key value created or modified: HKEY_CURRENT_USER\Software\C4D93783EC1A25CC28F9 94E168CABBEA0702E60265D1291BE8FE7C37724D89001E7AE9A73817F84114EF Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5180 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe TID: 5660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5164 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 5192 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe TID: 1892 Thread sleep count: 9743 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Window / User API: threadDelayed 9743 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r\
Source: sihost.exe, 0000000A.00000002.522471112.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Code function: 0_2_02EC9028 mov eax, dword ptr fs:[00000030h] 0_2_02EC9028
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp53F0.tmp.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sihost" /tr '"C:\Users\user\AppData\Roaming\sihost.exe"' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\sihost.exe "C:\Users\user\AppData\Roaming\sihost.exe" Jump to behavior
Source: sihost.exe, 0000000A.00000002.532020880.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, sihost.exe, 0000000A.00000002.531872890.0000000002D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Queries volume information: C:\Users\user\Desktop\DCwTjs2dTP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Users\user\AppData\Roaming\sihost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DCwTjs2dTP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DCwTjs2dTP.exe.abb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: C:\Users\user\AppData\Roaming\sihost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: procexp.exe
Source: DCwTjs2dTP.exe, DCwTjs2dTP.exe, 00000000.00000002.542742208.000000000ABB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 0000000A.00000002.531729380.0000000002D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526339237.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DCwTjs2dTP.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sihost.exe PID: 5352, type: MEMORYSTR