Analysis Overview
SHA256
96e667b3511fd706f966946c64f7764b26f26c93b5297b36d8a6961921fb6eaa
Threat Level: Known bad
The file 19oa2h6ibyxkuece.exe was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 19:33
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 19:33
Reported
2024-05-13 19:34
Platform
win11-20240426-en
Max time kernel
12s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4760 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4760 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4760 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe
"C:\Users\Admin\AppData\Local\Temp\19oa2h6ibyxkuece.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BrowserfontWininto\O9huK39vJg2D.bat" "
C:\BrowserfontWininto\hyperagentsvc.exe
"C:\BrowserfontWininto\hyperagentsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BrowserfontWininto\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\BrowserfontWininto\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sysmon.exe'" /rl HIGHEST /f
Network
Files
C:\BrowserfontWininto\3dlXE8sYrHdS9t5pGyfBIdd4.vbe
| MD5 | b8e2e37054ea4d38065ca952d6d84b44 |
| SHA1 | 2e53e2f24a6a8980ffe933f07604dbd47f29e35d |
| SHA256 | 0098c79333600eb0a4121fd7c7a17e6c66ba8decad28dfd7a4b27be56b517cb2 |
| SHA512 | 6f477a8a943f02afe5c3a7c2ba2c48a57ec2e8a4af029b9396b84e9eb84835a0a12e08c6aac9c128c2d243632f9a051d2b443a525b51ff5efa5d6f0bd29f2f47 |
C:\BrowserfontWininto\O9huK39vJg2D.bat
| MD5 | 749eca6bd4b12b325159837abc0797b2 |
| SHA1 | 837b704e4ec038468364c09df18d879164483c14 |
| SHA256 | 255513dd588a6e344367c566daef338d25e68e6150481c5d345aeb2c4f099708 |
| SHA512 | 1b34ff9fd39a1c631485ff26faa30a2dfc9a6cd773d016a4841ebd6776e77980ea71207f5ee608833b7e78798c7a47497cfb57336585f0d862973797aec49253 |
C:\BrowserfontWininto\hyperagentsvc.exe
| MD5 | 764d2b855ffa643d2b4f69bb6bc616fa |
| SHA1 | c519ec7f05277231cf5a6541525f398bedee0ebc |
| SHA256 | a9dcf34f68612934c8bb265f6e679b52f7b92c64be84d6d96ef2d0cca0a50f87 |
| SHA512 | 804d1bc07be9437cca40971d4d889dd86e5b732f47e73ac74fcef1e50d64c73aab2d8900f4bc4e5352be515d8396fd16ff969bc23f57ea259b8c4d62bc0a8967 |
memory/2840-12-0x00007FFDCFA93000-0x00007FFDCFA95000-memory.dmp
memory/2840-13-0x00000000000D0000-0x0000000000202000-memory.dmp
memory/2840-16-0x000000001AEC0000-0x000000001AED6000-memory.dmp
memory/2840-17-0x0000000000A80000-0x0000000000A8C000-memory.dmp
memory/2840-15-0x000000001B590000-0x000000001B5E0000-memory.dmp
memory/2840-14-0x0000000000A60000-0x0000000000A7C000-memory.dmp
C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
| MD5 | dca1fab69bdcab1a75787e7c1ec1ec14 |
| SHA1 | 2676f0ff21ab83b506eaa11dcf79cb3c99744320 |
| SHA256 | 60b51783cb0a44b6397cf90145a24c8678b126ef740d56d8e8a8a17d59a9a6df |
| SHA512 | bd184e3fb09c854de92c71a76725945c1fef11a1133ce28c3ee03006268a577b74168420ccbd153bda67e91d590c7202a1890f937ff013dc726dac37694adfa2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 19:33
Reported
2024-05-13 19:34
Platform
debian12-armhf-20240221-en
Max time network
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-13 19:33
Reported
2024-05-13 19:34
Platform
ubuntu2004-amd64-20240508-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
/tmp/19oa2h6ibyxkuece.exe
[/tmp/19oa2h6ibyxkuece.exe]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |