Malware Analysis Report

2025-06-15 19:46

Sample ID 240325-c6vbfagh7t
Target dd0a4243de09c5864297da95ddc1362c
SHA256 23a9505d97a5c7c3ac76901f21e72ca79d0aa56393c3e9e13f30f5286431f1cc
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23a9505d97a5c7c3ac76901f21e72ca79d0aa56393c3e9e13f30f5286431f1cc

Threat Level: Known bad

The file dd0a4243de09c5864297da95ddc1362c was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 02:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 02:41

Reported

2024-03-25 02:44

Platform

win10v2004-20240319-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MonitornetdhcpcommonRefhostDll = "\"C:\\Monitornetdhcpcommon\\UMkN4Z1\\MonitornetdhcpcommonRefhostDll.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources\\StartMenuExperienceHost.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhostw.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\msedge.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\polstore\\fontdrvhost.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\polstore\fontdrvhost.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\System32\polstore\5b884080fd4f94e2695da25c503f9e33b9605b83 C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsPowerShell\Modules\msedge.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\61a52ddc9dd915470897a065f14eeedfa88f98fd C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\55b276f4edf653fe07efe8f1ecc32d3d195abd16 C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\taskhostw.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Token: SeDebugPrivilege N/A C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 1444 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 1496 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 4228 wrote to memory of 2748 N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe C:\Windows\System32\cmd.exe
PID 4228 wrote to memory of 2748 N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe C:\Windows\System32\cmd.exe
PID 2748 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2748 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2748 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2748 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2748 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe
PID 2748 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe

"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Monitornetdhcpcommon\UMkN4Z1.bat" "

C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe

"C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\polstore\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MonitornetdhcpcommonRefhostDll" /sc ONLOGON /tr "'C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2CqMyoSWPb.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe

"C:\Monitornetdhcpcommon\UMkN4Z1\MonitornetdhcpcommonRefhostDll.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 142.251.39.110:443 tcp
NL 172.217.168.202:443 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 92.63.96.207:80 92.63.96.207 tcp
NL 142.251.39.110:443 tcp
US 8.8.8.8:53 207.96.63.92.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe

MD5 bf3d7f76563cab7463d7af23eae9806d
SHA1 c5bf0526d8815d1223a1fd7919872ab22fb0d86c
SHA256 90d824616f4cfb00b38f8787620d092ece7fec348c788d4cafd4a37e30abe194
SHA512 7020295c2f35b05297f432b387ae50fb884ba7eb856f333cf5dc16c2d779b11a1a64bdf7c4abdc974666e6225dc7824e6e45c6bc258519a0a5baaf95619ac430

C:\Monitornetdhcpcommon\UMkN4Z1.bat

MD5 48a60762b79ad9f6a6243ac662713ce2
SHA1 b0adb833ec22168c21022ff4a9da743d2803dace
SHA256 7125fce7974bcb82ed25158d6df05502444032b5ee3dbd632b9688ea0aa3d4c4
SHA512 f26f35f69fd8fe4c83cad1e06cb5e0451654f6890242f4781a83d74c79d36116dd802e71f2914664d2858ac43a08ecec2fcabdd29093b8f40e03b79f30059cb3

C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe

MD5 5403717e99762e8c0e9cc5e97c74473c
SHA1 3405db3bab54365efb29172f061dc461a43f9da3
SHA256 c282d6ab229dbc8f26ebe56d64db0c5ac2721a8d0d3d3f915563d125cccbbb4b
SHA512 334b4da3b0a8c92d1f10ddaae473379a0ed966e699d45aa57240c37464f3f30488375376d447f0e6ab621fa92337a79f95ca387dbb72e337565f0a9eda0400a3

memory/4228-12-0x0000000000E70000-0x0000000000FBE000-memory.dmp

memory/4228-13-0x00007FF8D3190000-0x00007FF8D3C51000-memory.dmp

memory/4228-14-0x000000001BD00000-0x000000001BD10000-memory.dmp

memory/4228-32-0x00007FF8D3190000-0x00007FF8D3C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2CqMyoSWPb.bat

MD5 1e56262fdece41c68476bcc2a877d541
SHA1 9e6d4b8f328212ce0ed18b7371115e79849b10d7
SHA256 7379e79f3e4d049a6e48965ae153758e9928cfa6d9eaf27c7ee15a09b5b2fe74
SHA512 b0b43aaf0a8d7e8cca3a88a6f7ce6a84995ea75994215e18a4d7ebeddde737453033c7f04a7be9b0894c04a8633ddec75dd29f5e27de9062017f93e2d5fc59b7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MonitornetdhcpcommonRefhostDll.exe.log

MD5 b7c0c43fc7804baaa7dc87152cdc9554
SHA1 1bab62bd56af745678d4e967d91e1ccfdeed4038
SHA256 46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457
SHA512 9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

memory/4420-38-0x00007FF8D3570000-0x00007FF8D4031000-memory.dmp

memory/4420-39-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/4420-40-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/4420-41-0x0000000002900000-0x0000000002908000-memory.dmp

memory/4420-42-0x0000000002910000-0x0000000002918000-memory.dmp

memory/4420-43-0x000000001B210000-0x000000001B21C000-memory.dmp

memory/4420-44-0x000000001B220000-0x000000001B22A000-memory.dmp

memory/4420-45-0x000000001B230000-0x000000001B238000-memory.dmp

memory/4420-46-0x000000001B240000-0x000000001B248000-memory.dmp

memory/4420-47-0x0000000002920000-0x0000000002928000-memory.dmp

memory/4420-48-0x000000001B250000-0x000000001B258000-memory.dmp

memory/4420-49-0x000000001B280000-0x000000001B288000-memory.dmp

memory/4420-51-0x000000001B260000-0x000000001B268000-memory.dmp

memory/4420-52-0x000000001B270000-0x000000001B278000-memory.dmp

memory/4420-53-0x000000001B290000-0x000000001B298000-memory.dmp

memory/4420-54-0x000000001B2A0000-0x000000001B2A8000-memory.dmp

memory/4420-56-0x000000001B380000-0x000000001B388000-memory.dmp

memory/4420-58-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/4420-57-0x000000001B390000-0x000000001B398000-memory.dmp

memory/4420-55-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/4420-59-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

memory/4420-60-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/4420-61-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/4420-62-0x00007FF8D3570000-0x00007FF8D4031000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 02:41

Reported

2024-03-25 02:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\System32\sppwmi\sppsvc.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Program Files\Windows Media Player\winlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
N/A N/A C:\Program Files\Windows Media Player\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\sppwmi\\sppsvc.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\winlogon.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\SysWOW64\\setup16\\cmd.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Monitornetdhcpcommon\\sppsvc.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\EhStorAPI\\csrss.exe\"" C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\setup16\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\SysWOW64\setup16\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\System32\EhStorAPI\csrss.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\System32\EhStorAPI\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\System32\sppwmi\sppsvc.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File opened for modification C:\Windows\System32\sppwmi\sppsvc.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Windows\System32\sppwmi\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\winlogon.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
File created C:\Program Files\Windows Media Player\cc11b995f2a76da408ea6a601e682e64743153ad C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe C:\Windows\SysWOW64\WScript.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 2580 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 2580 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 2580 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe
PID 2428 wrote to memory of 2784 N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe C:\Program Files\Windows Media Player\winlogon.exe
PID 2428 wrote to memory of 2784 N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe C:\Program Files\Windows Media Player\winlogon.exe
PID 2428 wrote to memory of 2784 N/A C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe C:\Program Files\Windows Media Player\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe

"C:\Users\Admin\AppData\Local\Temp\dd0a4243de09c5864297da95ddc1362c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Monitornetdhcpcommon\UMkN4Z1.bat" "

C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe

"C:\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\sppwmi\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\setup16\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Monitornetdhcpcommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\EhStorAPI\csrss.exe'" /rl HIGHEST /f

C:\Program Files\Windows Media Player\winlogon.exe

"C:\Program Files\Windows Media Player\winlogon.exe"

Network

Country Destination Domain Proto
RU 92.63.96.207:80 92.63.96.207 tcp

Files

C:\Monitornetdhcpcommon\qTMy7tKgcv8HK3o1cT.vbe

MD5 bf3d7f76563cab7463d7af23eae9806d
SHA1 c5bf0526d8815d1223a1fd7919872ab22fb0d86c
SHA256 90d824616f4cfb00b38f8787620d092ece7fec348c788d4cafd4a37e30abe194
SHA512 7020295c2f35b05297f432b387ae50fb884ba7eb856f333cf5dc16c2d779b11a1a64bdf7c4abdc974666e6225dc7824e6e45c6bc258519a0a5baaf95619ac430

C:\Monitornetdhcpcommon\UMkN4Z1.bat

MD5 48a60762b79ad9f6a6243ac662713ce2
SHA1 b0adb833ec22168c21022ff4a9da743d2803dace
SHA256 7125fce7974bcb82ed25158d6df05502444032b5ee3dbd632b9688ea0aa3d4c4
SHA512 f26f35f69fd8fe4c83cad1e06cb5e0451654f6890242f4781a83d74c79d36116dd802e71f2914664d2858ac43a08ecec2fcabdd29093b8f40e03b79f30059cb3

\Monitornetdhcpcommon\MonitornetdhcpcommonRefhostDll.exe

MD5 5403717e99762e8c0e9cc5e97c74473c
SHA1 3405db3bab54365efb29172f061dc461a43f9da3
SHA256 c282d6ab229dbc8f26ebe56d64db0c5ac2721a8d0d3d3f915563d125cccbbb4b
SHA512 334b4da3b0a8c92d1f10ddaae473379a0ed966e699d45aa57240c37464f3f30488375376d447f0e6ab621fa92337a79f95ca387dbb72e337565f0a9eda0400a3

memory/2428-13-0x0000000000340000-0x000000000048E000-memory.dmp

memory/2428-14-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp

memory/2428-15-0x0000000000690000-0x0000000000710000-memory.dmp

memory/2784-36-0x00000000008F0000-0x0000000000A3E000-memory.dmp

memory/2784-35-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp

memory/2428-34-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp

memory/2784-37-0x000000001AFF0000-0x000000001B070000-memory.dmp

memory/2784-38-0x0000000000350000-0x0000000000358000-memory.dmp

memory/2784-39-0x0000000000370000-0x0000000000378000-memory.dmp

memory/2784-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-41-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/2784-42-0x0000000000410000-0x000000000041A000-memory.dmp

memory/2784-43-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/2784-44-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/2784-45-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/2784-46-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/2784-48-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2784-49-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2784-50-0x0000000000510000-0x0000000000518000-memory.dmp

memory/2784-51-0x0000000000520000-0x0000000000528000-memory.dmp

memory/2784-52-0x0000000000580000-0x0000000000588000-memory.dmp

memory/2784-53-0x0000000000530000-0x0000000000538000-memory.dmp

memory/2784-54-0x0000000000540000-0x0000000000548000-memory.dmp

memory/2784-55-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2784-56-0x000000001AFF0000-0x000000001B070000-memory.dmp

memory/2784-57-0x000000001AFF0000-0x000000001B070000-memory.dmp

memory/2784-58-0x000000001AFF0000-0x000000001B070000-memory.dmp

memory/2784-59-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp