Edit tour
Windows
Analysis Report
IEmxqChwE0.exe
Overview
General Information
| Sample Name: | IEmxqChwE0.exe |
| Analysis ID: | 679394 |
| MD5: | 0d32ff3680a716fd66cb9ab0e3ebc763 |
| SHA1: | 2aa356f14a156bf56efc66e39e0654bddb4fd95a |
| SHA256: | 21719369d4b1474ad31c61c60ec7510ab511a21ba5659cca266f1e6a933cdc71 |
| Tags: | DCRatexe |
| Infos: |  |
 | |
Detection
DCRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected DCRat
Drops executable to a common third party application directory
Creates processes via WMI
Machine Learning detection for sample
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
IEmxqChwE0.exe (PID: 6036 cmdline: "C:\Users\ user\Deskt op\IEmxqCh wE0.exe" MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 640 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 5 / tr "'C:\Re covery\ZoF SCoTkutoOR rrfFQrZkaw .exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5244 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkaw" /sc ONLOG ON /tr "'C :\Recovery \ZoFSCoTku toORrrfFQr Zkaw.exe'" /rl HIGHE ST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 3564 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 14 /tr "'C:\R ecovery\Zo FSCoTkutoO RrrfFQrZka w.exe'" /r l HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- ZoFSCoTkutoORrrfFQrZkaw.exe (PID: 2988 cmdline:
C:\Recover y\ZoFSCoTk utoORrrfFQ rZkaw.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 740 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 11 /tr "'C:\P rogram Fil es\Common Files\micr osoft shar ed\vgx\Run timeBroker .exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- ZoFSCoTkutoORrrfFQrZkaw.exe (PID: 5548 cmdline:
C:\Recover y\ZoFSCoTk utoORrrfFQ rZkaw.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 1428 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\Program Files\Comm on Files\m icrosoft s hared\vgx\ RuntimeBro ker.exe'" /rl HIGHES T /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2320 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 9 / tr "'C:\Pr ogram File s\Common F iles\micro soft share d\vgx\Runt imeBroker. exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 1588 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 9 / tr "'C:\Pr ogram File s (x86)\wi ndowspower shell\ZoFS CoTkutoORr rfFQrZkaw. exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5560 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkaw" /sc ONLOG ON /tr "'C :\Program Files (x86 )\windowsp owershell\ ZoFSCoTkut oORrrfFQrZ kaw.exe'" /rl HIGHES T /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5912 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 9 / tr "'C:\Pr ogram File s (x86)\wi ndowspower shell\ZoFS CoTkutoORr rfFQrZkaw. exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- RuntimeBroker.exe (PID: 1048 cmdline:
C:\Program Files\Com mon Files\ microsoft shared\vgx \RuntimeBr oker.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- RuntimeBroker.exe (PID: 4532 cmdline:
C:\Program Files\Com mon Files\ microsoft shared\vgx \RuntimeBr oker.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 6060 cmdline:
schtasks.e xe /create /tn "Shel lExperienc eHostS" /s c MINUTE / mo 6 /tr " 'C:\Recove ry\ShellEx perienceHo st.exe'" / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5500 cmdline:
schtasks.e xe /create /tn "Shel lExperienc eHost" /sc ONLOGON / tr "'C:\Re covery\She llExperien ceHost.exe '" /rl HIG HEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5948 cmdline:
schtasks.e xe /create /tn "Shel lExperienc eHostS" /s c MINUTE / mo 7 /tr " 'C:\Recove ry\ShellEx perienceHo st.exe'" / rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 2208 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 11 /tr "'C:\M SOCache\Al l Users\{9 0160000-00 BA-0409-00 00-0000000 FF1CE}-C\Z oFSCoTkuto ORrrfFQrZk aw.exe'" / f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- ShellExperienceHost.exe (PID: 3764 cmdline:
C:\Recover y\ShellExp erienceHos t.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 3568 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkaw" /sc ONLOG ON /tr "'C :\MSOCache \All Users \{90160000 -00BA-0409 -0000-0000 000FF1CE}- C\ZoFSCoTk utoORrrfFQ rZkaw.exe' " /rl HIGH EST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- ShellExperienceHost.exe (PID: 336 cmdline:
C:\Recover y\ShellExp erienceHos t.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 4924 cmdline:
schtasks.e xe /create /tn "ZoFS CoTkutoORr rfFQrZkawZ " /sc MINU TE /mo 13 /tr "'C:\M SOCache\Al l Users\{9 0160000-00 BA-0409-00 00-0000000 FF1CE}-C\Z oFSCoTkuto ORrrfFQrZk aw.exe'" / rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5804 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 14 /tr " 'C:\Progra m Files (x 86)\mozill a firefox\ plugins\Wm iPrvSE.exe '" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5176 cmdline:
schtasks.e xe /create /tn "WmiP rvSE" /sc ONLOGON /t r "'C:\Pro gram Files (x86)\moz illa firef ox\plugins \WmiPrvSE. exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- WmiPrvSE.exe (PID: 408 cmdline:
C:\Program Files (x8 6)\mozilla firefox\p lugins\Wmi PrvSE.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 1752 cmdline:
schtasks.e xe /create /tn "WmiP rvSEW" /sc MINUTE /m o 7 /tr "' C:\Program Files (x8 6)\mozilla firefox\p lugins\Wmi PrvSE.exe' " /rl HIGH EST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 4736 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 12 /tr "'C:\R ecovery\Ru ntimeBroke r.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 5300 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\Recovery \RuntimeBr oker.exe'" /rl HIGHE ST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 1332 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 13 /tr "'C:\R ecovery\Ru ntimeBroke r.exe'" /r l HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- WmiPrvSE.exe (PID: 1448 cmdline:
C:\Program Files (x8 6)\mozilla firefox\p lugins\Wmi PrvSE.exe MD5: 0D32FF3680A716FD66CB9AB0E3EBC763)
- schtasks.exe (PID: 2916 cmdline:
schtasks.e xe /create /tn "Runt imeBrokerR " /sc MINU TE /mo 13 /tr "'C:\M SOCache\Al l Users\Ru ntimeBroke r.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- schtasks.exe (PID: 3256 cmdline:
schtasks.e xe /create /tn "Runt imeBroker" /sc ONLOG ON /tr "'C :\MSOCache \All Users \RuntimeBr oker.exe'" /rl HIGHE ST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
- cleanup
{"SCRT": "{\"W\":\"-\",\"j\":\"%\",\"i\":\"`\",\"D\":\")\",\"v\":\"!\",\"V\":\"#\",\"N\":\" \",\"a\":\",\",\"M\":\"(\",\"6\":\"_\",\"I\":\"<\",\"p\":\"@\",\"0\":\"|\",\"H\":\"^\",\"1\":\">\",\"t\":\"*\",\"J\":\"$\",\"d\":\"&\",\"z\":\"~\",\"L\":\".\",\"O\":\";\"}", "PCRT": "{\"h\":\"(\",\"n\":\"@\",\"M\":\"|\",\"Y\":\"%\",\"Q\":\")\",\"l\":\"&\",\"F\":\"#\",\"O\":\"<\",\"U\":\"!\",\"W\":\"`\",\"c\":\">\",\"2\":\"^\",\"B\":\" \",\"a\":\",\",\"K\":\".\",\"Z\":\"_\",\"m\":\"-\",\"E\":\"~\",\"o\":\";\",\"x\":\"*\",\"p\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-5BbmMLF7hMWVj4tneyWz", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
| SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth |
| |
| Click to see the 10 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 5.23.51.236192.168.2.480497162850862 08/05/22-17:44:21.513896 |
| SID: | 2850862 |
| Source Port: | 80 |
| Destination Port: | 49716 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||