Malware Analysis Report

2025-06-15 19:46

Sample ID 240325-eq23fsfg54
Target dd32729dcf73c31a478099c25da5789c
SHA256 6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e

Threat Level: Known bad

The file dd32729dcf73c31a478099c25da5789c was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 04:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 04:09

Reported

2024-03-25 04:12

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
N/A N/A C:\ProgramData\Start Menu\dwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Desktop\\cmd.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\cscdll\\services.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\PerfLogs\\Admin\\sppsvc.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\avicap32\\csrss.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\WMSPDMOE\\sppsvc.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\avicap32\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\WMSPDMOE\sppsvc.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\WMSPDMOE\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\cscdll\services.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\cscdll\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\avicap32\csrss.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\smss.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Program Files\Uninstall Information\69ddcba757bf72f7d36c464c71f42baab150b2b9 C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\rc0000\System.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\DtcInstall\explorer.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
N/A N/A C:\ProgramData\Start Menu\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Start Menu\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 2624 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 2624 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 2624 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 2552 wrote to memory of 1680 N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe C:\ProgramData\Start Menu\dwm.exe
PID 2552 wrote to memory of 1680 N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe C:\ProgramData\Start Menu\dwm.exe
PID 2552 wrote to memory of 1680 N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe C:\ProgramData\Start Menu\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe

"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cscdll\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\avicap32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\WMSPDMOE\sppsvc.exe'" /rl HIGHEST /f

C:\ProgramData\Start Menu\dwm.exe

"C:\ProgramData\Start Menu\dwm.exe"

Network

Country Destination Domain Proto
RU 89.108.88.227:80 tcp
RU 89.108.88.227:80 tcp

Files

C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe

MD5 abd20005732c70524b80234027cf0db4
SHA1 d0cdbcfce900f87af778847ef0d3cab111d81a96
SHA256 a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6
SHA512 c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat

MD5 58afc535c3d36e78abb3677a61dc4737
SHA1 bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4
SHA256 ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4
SHA512 8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

MD5 4f85fd9da0e6d825b520f09905b16301
SHA1 11b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256 fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512 cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

memory/2552-13-0x0000000001280000-0x00000000013A2000-memory.dmp

memory/2552-14-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/2552-15-0x0000000001200000-0x0000000001280000-memory.dmp

memory/1680-38-0x0000000000100000-0x0000000000222000-memory.dmp

memory/1680-39-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/1680-40-0x000000001A8A0000-0x000000001A920000-memory.dmp

memory/2552-41-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/1680-42-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

memory/1680-43-0x000000001A8A0000-0x000000001A920000-memory.dmp

memory/1680-44-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 04:09

Reported

2024-03-25 04:12

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
N/A N/A C:\Windows\Globalization\Time Zone\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Globalization\\Time Zone\\explorer.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources\\SearchApp.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\csrss.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\dimsjob\\RuntimeBroker.exe\"" C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\dimsjob\RuntimeBroker.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\System32\dimsjob\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Globalization\Time Zone\explorer.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File opened for modification C:\Windows\Globalization\Time Zone\explorer.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\Globalization\Time Zone\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653fe07efe8f1ecc32d3d195abd16 C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\38384e6a620884a6b69bcc56f80d556f9200171c C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Globalization\Time Zone\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe

"C:\Users\Admin\AppData\Local\Temp\dd32729dcf73c31a478099c25da5789c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dimsjob\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\Globalization\Time Zone\explorer.exe

"C:\Windows\Globalization\Time Zone\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 201.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 89.108.88.227:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 89.108.88.227:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe

MD5 abd20005732c70524b80234027cf0db4
SHA1 d0cdbcfce900f87af778847ef0d3cab111d81a96
SHA256 a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6
SHA512 c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat

MD5 58afc535c3d36e78abb3677a61dc4737
SHA1 bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4
SHA256 ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4
SHA512 8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe

MD5 4f85fd9da0e6d825b520f09905b16301
SHA1 11b96ca925a09cd96569c4be2930b9b2bad9dd07
SHA256 fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942
SHA512 cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

memory/1260-12-0x00000000006C0000-0x00000000007E2000-memory.dmp

memory/1260-13-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

memory/1260-14-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/4324-41-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

memory/1260-40-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

memory/4324-42-0x000000001B560000-0x000000001B570000-memory.dmp

memory/4324-43-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp

memory/4324-44-0x000000001B560000-0x000000001B570000-memory.dmp

memory/4324-46-0x00007FFEEE710000-0x00007FFEEF1D1000-memory.dmp