Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-xj3phshf81
Target 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0
SHA256 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0
Tags
rat dcrat evasion infostealer spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0

Threat Level: Known bad

The file 149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer discovery

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Modifies registry class

Modifies Internet Explorer settings

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 18:53

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 18:53

Reported

2024-05-13 18:56

Platform

win7-20240221-en

Max time kernel

129s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18 C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\__tmp_rar_sfx_access_check_259400194 C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\es-ES\audiodg.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\audiodg.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\42af1c969fbb7b C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files (x86)\Microsoft Office\csrss.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files (x86)\Microsoft Office\886983d96e3d3e C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppPatch\Custom\Custom64\f3b6ecef712a24 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\Media\Characters\dwm.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\Media\Characters\6cb0b6c459d5d3 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\Branding\Basebrd\en-US\dwm.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\Branding\Basebrd\en-US\6cb0b6c459d5d3 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000008a350a3ad06ccf2b3dd67c69671f3f9259b1e08d02a45b64d713e79e711a0300000000000e8000000002000020000000fdfcfefd1f730c23c64c6acd5bda33de53bf6ba2a0d21b14f3670de76af38cd020000000e8d0842b70d70078b939610be8f681f6f8e0b4e4dfb72f9016b1158a99a5ac95400000001cdea1c61fb5f1ffc1806c7960db07b32371b91eb4a6429e3fbaeee003c4225d86975637208fc9b8f2341392da56ba5b9e41db56ec92817a91cd11dc652d6024 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005ad00067a5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421788309" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29A25CD1-115A-11EF-B1D1-D2EFD46A7D0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "227" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "227" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "227" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000065d9443d5c3d7285a6fd250ce1eeac8adffd0f7fb08953fc0197bcfd8e6fb8cc000000000e80000000020000200000000ded5f12e2eec0918c900491e4700ac8c27d0a734d7e70c52e4f3d23f29aba86400100006b79bfd01d0016f3ee20a92ead2893880165614f769c6fa64382d300b6ac307b2af75d340bfe2ac351ec4819c45174dae8bff9760b02ffb78256603b635e0bc63eec69399a197a774f6f4aeff15ab21bd116badef8dbf02c8f8b51800244e72c51039f9e4b29c3d98c9895cb3189ce16cae2bdcbfb55340aba57dae60bfed4db5a9a84182785dcfd63d7da90dcb92670b9591faba25faa0cbb000db47ab2e3c4fe1f8e00c02ea9b1e0383cc0cbd3951d7fe48635a906736d3559da227f0a12acdf76595bdb5211818507070e2bcc698e7dedc36f8568218bab11ad566c612f741b836720a82572c808b9655d556291de2c0b8f6e015db849ab8761aa4fa977bc4d25b47994853d7ad792d173b54c528e13dd059677ef2b1afc8b3498bff5bf6a08edc10fbec25e626c2560668fbb181761fc97495d71bfedbe6a48fbef231d2f400000007d939366c2cad687c092c12b657f5b6add03982cd6d322079893a48fdb69dfeb0ef9b59fa917cfa848818fd537b616a6d9d20aee52c59fb067abeb8769756c20 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 756 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 756 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 756 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 756 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 756 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 756 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 756 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 2072 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 2072 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 2876 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 2612 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 296 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 296 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 296 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 296 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2324 wrote to memory of 1712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 1712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 1712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2324 wrote to memory of 1712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2436 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Public\cmd.exe
PID 2436 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Public\cmd.exe
PID 2436 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Public\cmd.exe
PID 2612 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2612 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe

"C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"

C:\Users\Admin\AppData\Local\Temp\dcrat3.exe

"C:\Users\Admin\AppData\Local\Temp\dcrat3.exe"

C:\Users\Admin\AppData\Local\Temp\dcrat1.exe

"C:\Users\Admin\AppData\Local\Temp\dcrat1.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat" "

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe

"C:\\Windows\System32\Microsoft\Protect\S-1-5-18\User\dwm.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\es-ES\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Characters\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Characters\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 java.com udp
NL 23.62.61.163:80 java.com tcp
NL 23.62.61.163:80 java.com tcp
US 8.8.8.8:53 www.java.com udp
NL 23.62.61.137:80 www.java.com tcp
NL 23.62.61.137:80 www.java.com tcp
NL 23.62.61.137:443 www.java.com tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
US 8.8.8.8:53 a0979626.xsph.ru udp
NO 104.110.16.41:443 static.ocecdn.oraclecloud.com tcp
NO 104.110.16.41:443 static.ocecdn.oraclecloud.com tcp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
US 8.8.8.8:53 s.go-mpulse.net udp
BE 23.55.96.141:443 s.go-mpulse.net tcp
BE 23.55.96.141:443 s.go-mpulse.net tcp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
NL 23.62.61.137:443 www.java.com tcp
NL 23.62.61.137:443 www.java.com tcp
US 8.8.8.8:53 c.go-mpulse.net udp
BE 2.21.16.148:443 c.go-mpulse.net tcp
BE 2.21.16.148:443 c.go-mpulse.net tcp
NL 23.62.61.137:443 www.java.com tcp
US 8.8.8.8:53 c.oracleinfinity.io udp
US 8.8.8.8:53 www.oracle.com udp
NL 23.62.61.146:443 c.oracleinfinity.io tcp
NL 23.62.61.146:443 c.oracleinfinity.io tcp
BE 23.55.97.240:443 www.oracle.com tcp
BE 23.55.97.240:443 www.oracle.com tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 141.8.192.58:80 a0979626.xsph.ru tcp

Files

memory/756-0-0x000000007482E000-0x000000007482F000-memory.dmp

memory/756-1-0x0000000000DF0000-0x0000000000FAC000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcrat3.exe

MD5 2c7d37e90dd8ab57d06dad5bc7956885
SHA1 da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA256 5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512 e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

\Users\Admin\AppData\Local\Temp\dcrat1.exe

MD5 81e978a9392b56444619c5fc28bcf0b0
SHA1 cf322f5be4a9c3fad09714a1efb7e730ba977c40
SHA256 70eae81f9363375c7301e4d48a7c5bc5588a9100cbd300eb358fed2327c40dbe
SHA512 370e4faf61c93d47b3e60196fc1f8c17de35b076b383566a817c5a2358396dd6a7dc5677b86115cd61d413e4c717ddc5c426aaa2590f47b63643bbfab148d76c

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe

MD5 30a1a984f3afcec8d166e9b90ae4dded
SHA1 5dd5a1fb85732376bcb5478e5f627d251ef79983
SHA256 6fc7d156666453ba430f30ea19b47c55a0bf88a7c1a8ce407322270e8f596929
SHA512 63e72a5178fbffda94382356177f07a0781bb4a597be67075395c3afe4002a9c186d5b5edb5b7e4bed6c38c8c8b06acc0c623a0ec963fa4216383a6112ffc768

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat

MD5 d140d65ea96f1a8e52a20c00b8092225
SHA1 4f7831d9ee21770079e91f083b8c4ce77a544695
SHA256 2dc114e83c3e2339c249a58648875ec0988dec9158ab35cbfe9cff50171ae3ac
SHA512 4c0539d4584d7814ea3c73b771a80321fc58208e9a122f29129898621d0dbe4de72c05100c9fac7f503b0b7a0ada4045cedd7fb9434bd904bb51b8b9a74f3830

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe

MD5 6a052712569ad65c7bd5a0ffab54c051
SHA1 0dbff6cdf01b13465a729e2370cf2244fe5a0218
SHA256 ab64355e0ceb9e47a235a8f1be8d557d22e267521be47733d476f8004a3a69e0
SHA512 8875cd956120870a452dd85113e90cf3b3fe7132bf6b699caf9944a72b8700dced4e5e41e882c021b34a376fa645c2a841e454eba49bda684285512baaa91cda

memory/2436-31-0x0000000000B90000-0x0000000000CE0000-memory.dmp

memory/296-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2436-33-0x0000000000360000-0x000000000037C000-memory.dmp

memory/2436-34-0x0000000000380000-0x0000000000396000-memory.dmp

memory/2436-35-0x0000000000340000-0x0000000000352000-memory.dmp

memory/2436-36-0x0000000000490000-0x000000000049E000-memory.dmp

memory/1352-58-0x0000000001180000-0x00000000012D0000-memory.dmp

memory/1352-59-0x0000000000380000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\3ZN4ZLFU\www.java[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\favicon[1].ico

MD5 8e39f067cc4f41898ef342843171d58a
SHA1 ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA512 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 0b8c5b7b7b47a93bbfb6c5143b894b16
SHA1 d461f7f718b8b67aec672701d9327abb159c508a
SHA256 148f7ad7f2a7ef13d713f6f63032b641e6f03a9faa96e3eaf2626c45ff2ae9df
SHA512 89843f82100d6c771ca0dccda71ae340baeb7f70c5749b77fe54c52bb8387bbc1b7c8744be49e65f146ca5e07edc9543963c46e4ec97c1a2da434ef31b5bd4f3

C:\Users\Admin\AppData\Local\Temp\Cab626C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc67d38d32dfde6385424f8cacc0c964
SHA1 13b10d4948e91b6138372ae116b6a520ded02bdb
SHA256 125c3dd9cadbc81ec2e9cf9c2c62003ca1e5cb67f46c250e6cd1800de188e149
SHA512 c9b79d1d722f609917e556785aaf899c00e90788c48ff19846648a25094c97b940f46880c979cf0f25b6d7e3052eee65654a3d557d755c28cd866dcabb00ce71

C:\Users\Admin\AppData\Local\Temp\Tar627E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar637E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5d2e85a6e61f517ecb0d8672e68082c
SHA1 3b812d5ff00893cd57eb343d1430da45399ad719
SHA256 aae5d3f30916f9a17c633a225a0648eaf077757c97b00ee0ebfb6d32c5902dc2
SHA512 fc9803376798fcf7aab61c805aa9955d2741296c6ec34feb710f16a76d6ec786d2ceb6a6315fcad518be1a2873baf9af107b32b1d30939d347ed8e174fe2b52a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 776a240686e5849b697563b1fa848732
SHA1 202e4003878e7cafbc96ae777b648df20b3fe8d9
SHA256 b1dbd0324deeaed2f1d2a9022b88181575f43de22ca433462b3dcef64c8b1b70
SHA512 ec515e5dc9b490b0381728dabfebc1deec2031977884ae02e3b6550ca9a2d53b70cc92d73ba073de9927dc703c3a70e524ea5feb9d4da5874f693e7ed65b8acf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2eb8154bb6de2b942e8a0289385e930e
SHA1 fae3f2b80c2d5e02880b751bcd16ea422cec51e6
SHA256 697c0f0abcf3e1080361590008c60a184efca56367b2393d28eee5224f21ab3a
SHA512 36c58d9b797494d6b67b40a3a884c66e87affe6a9f90635f646d4e9ed50dc2465ecde38bcf16fa2ae45664fc269867905822405c5ceb561b006bc4230e715f71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e033310658a3096e8bd148a4662e3f7b
SHA1 4417c5503263676925eb8cdac529dc28470a0c03
SHA256 37b912addd2512f7c3dc1c8c86ab0bf1e685a17098623a83a61b04c96b3c0b66
SHA512 ac34f98d5fec9ffd43f567770c26bca4f5f5f782c22405aad564112ead408298fe553ba896e09368d56f9a75965d7e8416f3aabd898f3a7a543355bb4d8c4de2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1ef38411412eb0c6296ae668b6d238a
SHA1 4e780503ccfdbc65ad20d2df7bd46f4d7ce867a5
SHA256 8695b87e39e9316a0297f7b41adc6581b72e23c9acf03ead6a74c8c55ce54c18
SHA512 671ec349476a2c564d6427145fcfb606996017d040e1312ef8cbf8541f027815ddf17f1e3464da7f3237497b1558082a9c0d42077272e2ed0fcee06a5dbd3d03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35bdedda8988723d5a78bb375841cbd1
SHA1 0692cb53bab1c3653c84824d62d3da309a95b74f
SHA256 cec47bde33dd6461e974d6b110e38a00dab4c814b79090538b925dea84223ef2
SHA512 a5981436d0171adda53e5c398e810d2f027deb36bc7fbff019f17ed68e253dbff0a0d758c6c3dcc1983e066650b2cd9d00fa48b9dc6ec5795c033c597c7f54d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 863eda2f5a0ef02428c13e5b11cdb02e
SHA1 873bb7af009ae6abb7b9bcb041b2ab5baea993d8
SHA256 e5d4d036e816589d24df03caae8e6ef456175eae5eb1e3e29d80dacdc1dd6217
SHA512 2a6d68c89249458fa7835ee84c74e4578a7e8ed73d6a23705fdbf051ff905aca0fefb425451d5cbff328480ca5bbff44b92a4a4efbf28525e5e9dfbacaa605ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5aab7fc583487beb87e485bf1bd07566
SHA1 b7656621c21caf042fee89efbda17188b539c7e1
SHA256 fd831f8ff114172484da25a96e4fe0070a3bee65da4c43a83e075e157dbb4ec5
SHA512 fbe6e6d4b07af3358401b94a009b9630658d1632283c4241961c55e3ca7049ccf0abb4a688de775102860c58a75e485e831525a671b7431d4329e4dc74a5a9eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 515ef2dbf453a7546ab517d4b2d852da
SHA1 461c244ab777da80118667eb742edcfcd284aa4c
SHA256 43b196539042ce2ca03862148c17c0ea0d72386fd677371f4618a942dafa90e4
SHA512 ee9d4f6f2bc0635ca79821e8ad9b4eb6d583c9e61b135ac2b386815fe9f0d963d1239eaf53221b8b350ee3de5a13dfb7bb9da1b87670d0571389ac2184582ac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 bb5dccd86c32a3407f0c270247c07ac4
SHA1 3f61f0cc2c0d6af0a46aae6215cb1aded286e577
SHA256 aa7899ff54b8dcc55cd2aba7a598ab965d9e035dde92f121e57492462579f49d
SHA512 2dfdc52f55de0a95397e01e1803c022be5922269f8e3d5cfa7f8515657a9b96eaf7a40297f8b7294dd0d6665ae7c0bdb03d1c321d5c2499ace4af9186178307f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afeeaba1482973d9ad68c974d6e1965f
SHA1 cf4f22cdf309d8d119f4191815471526a828e466
SHA256 14a7ce9dab8c6744ab9cc7cae1f76da582dd561d1647b9a7c13344977d92e174
SHA512 86931811a19a72ebaab0efc50b03dce30a7553573f41b52b5dedd0cff752dec34ce83090d8eff036bf0a36386d9460e094873bfab0f95fc33fd4fb2d3e3a7573

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce4907448cd4d325442cd6533bb9457e
SHA1 7f54f4fe0755722802a0ffdd0f405a447db4bf71
SHA256 1af8d466f66a479ee070699d4f69460d5c3c066b3e422a5b092407bdab55eb96
SHA512 6931444ec46f8e7365b1cb86adc784eb6ecded6f2ba61b5d8c596df9c356efd77a115e9e7aa3641bd82459d5ee8892bed9306f560ab9b835d63a68eb1f6ed9ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5aee6e0070bd40eca33fef552f1f6c5
SHA1 29675601443754d1cc496ebeb71559c82a6e626b
SHA256 dc53361db6e9e29c99348224dcc5940b76ae0f32b39cc1b142e5e2c0bd01bbf6
SHA512 9b82a122376e9b3393d63494edec7467a17564b3d908f22e4f6d0b112cb2e6393ad89b3ca07614fcb98b574fb7f75fc0565eb333493c7871695ce8b9c5f4c968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b35657871d7de27ecb105af91eb4b71c
SHA1 4f446c27e7145d6c7633311f54f236b30b0afeb1
SHA256 9363e16a1df61ac83a247ce6c7b258a1a9098b627788179cfdba8475347b3481
SHA512 1c18a9075f7606864afe2530ece24760f69b83140ecbf641fa2e3304ffdf0ef98ce68992f56938b391b58f2ee56a7aaeb715c42f0bac053ce5286ebbba6500d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c4378490f431eb5254a534e68da50d5
SHA1 324d6ff5414dfa342e4d0b4778a43ef6c5f4b658
SHA256 adfc94142e8aa5ba81681393d71a269dc40e12a848baf51a2657d0ebb17827a8
SHA512 2e7efc782d9279d3d518806cfe8cd4df88b4c7bc8c384c8b65b06772602133e3817a60aeecbd8c1518152e1d20896614cbbe5c03c745405bd8309abef478518f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb6da7866d532d3f1407021f419d315e
SHA1 d4438e8071155342f79b6e6f42409bc356b51c75
SHA256 aa16f973532c7134619fd418f9128f36cd8db7a486c6de981ca313a5d45e1cf6
SHA512 2335c7cd55f41e181bce4f13504f111553f420431df0a0366266b07dc960c77aa41c794f12c6730db71f00d838ae4d9a91b76a5b3714aa30f8987c2a3b5bfec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6cbcbc16054eccc6805cb01d225ea96
SHA1 8df719466c0c1d68517a311638572d3bd0275699
SHA256 9580cdac9c9841679cad02091ce19f8e6ed33f8b70aae13fe338e3537a29c2e8
SHA512 9ef40a8a925fa6f44fb1e5734a99f34903051ff120005a6b19584ee64b02dc27e70ae2e87bc2f8f24dea524b0bc041339fbe62efef8b6a08b33b23c180938e5c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 18:53

Reported

2024-05-13 18:56

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\__tmp_rar_sfx_access_check_240664046 C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18 C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
File created C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\6ccacd8608530f C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\66fc9ff0ee96c2 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\38384e6a620884 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\61a52ddc9dd915 C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File created C:\Windows\L2Schemas\msedge.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
File opened for modification C:\Windows\L2Schemas\msedge.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dcrat1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\odt\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 4780 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 4780 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat3.exe
PID 4804 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4804 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dcrat3.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4780 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 4780 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 4780 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe C:\Users\Admin\AppData\Local\Temp\dcrat1.exe
PID 3524 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 3524 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 3524 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\dcrat1.exe C:\Windows\SysWOW64\WScript.exe
PID 3252 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1856 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 1784 wrote to memory of 1856 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 3064 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 3064 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe
PID 832 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Windows\System32\cmd.exe
PID 832 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe C:\Windows\System32\cmd.exe
PID 1384 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1384 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3064 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3064 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3064 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\odt\winlogon.exe
PID 1384 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\odt\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe

"C:\Users\Admin\AppData\Local\Temp\149525b397dd4f1bb68edd6eb750b0cd400a36a265766b6eab14daff8d446da0.exe"

C:\Users\Admin\AppData\Local\Temp\dcrat3.exe

"C:\Users\Admin\AppData\Local\Temp\dcrat3.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher

C:\Users\Admin\AppData\Local\Temp\dcrat1.exe

"C:\Users\Admin\AppData\Local\Temp\dcrat1.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat" "

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe

"C:\\Windows\System32\Microsoft\Protect\S-1-5-18\User\dwm.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\L2Schemas\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mljoRSYxag.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\odt\winlogon.exe

"C:\odt\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 168.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 a0979626.xsph.ru udp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
RU 141.8.192.58:80 a0979626.xsph.ru tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4780-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

memory/4780-1-0x0000000000760000-0x000000000091C000-memory.dmp

memory/4780-2-0x0000000005340000-0x00000000053DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcrat3.exe

MD5 2c7d37e90dd8ab57d06dad5bc7956885
SHA1 da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA256 5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512 e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

memory/4804-12-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcrat1.exe

MD5 81e978a9392b56444619c5fc28bcf0b0
SHA1 cf322f5be4a9c3fad09714a1efb7e730ba977c40
SHA256 70eae81f9363375c7301e4d48a7c5bc5588a9100cbd300eb358fed2327c40dbe
SHA512 370e4faf61c93d47b3e60196fc1f8c17de35b076b383566a817c5a2358396dd6a7dc5677b86115cd61d413e4c717ddc5c426aaa2590f47b63643bbfab148d76c

memory/1784-23-0x000002BE01410000-0x000002BE01680000-memory.dmp

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\wozFTjVIuw5Ij.vbe

MD5 30a1a984f3afcec8d166e9b90ae4dded
SHA1 5dd5a1fb85732376bcb5478e5f627d251ef79983
SHA256 6fc7d156666453ba430f30ea19b47c55a0bf88a7c1a8ce407322270e8f596929
SHA512 63e72a5178fbffda94382356177f07a0781bb4a597be67075395c3afe4002a9c186d5b5edb5b7e4bed6c38c8c8b06acc0c623a0ec963fa4216383a6112ffc768

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\6AixvTBYkcX8JRK4xN.bat

MD5 d140d65ea96f1a8e52a20c00b8092225
SHA1 4f7831d9ee21770079e91f083b8c4ce77a544695
SHA256 2dc114e83c3e2339c249a58648875ec0988dec9158ab35cbfe9cff50171ae3ac
SHA512 4c0539d4584d7814ea3c73b771a80321fc58208e9a122f29129898621d0dbe4de72c05100c9fac7f503b0b7a0ada4045cedd7fb9434bd904bb51b8b9a74f3830

C:\Windows\SysWOW64\Microsoft\Protect\S-1-5-18\User\dwm.exe

MD5 6a052712569ad65c7bd5a0ffab54c051
SHA1 0dbff6cdf01b13465a729e2370cf2244fe5a0218
SHA256 ab64355e0ceb9e47a235a8f1be8d557d22e267521be47733d476f8004a3a69e0
SHA512 8875cd956120870a452dd85113e90cf3b3fe7132bf6b699caf9944a72b8700dced4e5e41e882c021b34a376fa645c2a841e454eba49bda684285512baaa91cda

memory/832-44-0x0000000000A00000-0x0000000000B50000-memory.dmp

memory/1784-45-0x000002BE7F640000-0x000002BE7F641000-memory.dmp

memory/1784-48-0x000002BE7F640000-0x000002BE7F641000-memory.dmp

memory/1784-49-0x000002BE01410000-0x000002BE01680000-memory.dmp

memory/832-50-0x000000001B750000-0x000000001B76C000-memory.dmp

memory/832-51-0x000000001BD10000-0x000000001BD60000-memory.dmp

memory/832-52-0x0000000002E30000-0x0000000002E46000-memory.dmp

memory/832-53-0x0000000002E50000-0x0000000002E62000-memory.dmp

memory/832-54-0x000000001C4E0000-0x000000001CA08000-memory.dmp

memory/832-55-0x0000000002E60000-0x0000000002E6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mljoRSYxag.bat

MD5 3adcf57e62576707b7515ddf1a315eb7
SHA1 170ba54762bdee18e604dcc827607d9e1485f796
SHA256 08e3a2fd20cc880de4c7f9f1e2cd88a8ebdbdb7d38f2620dbd3c1f62c4b09f49
SHA512 c4b38fc7517818d3f56bfd2108799dccb331f7395a3b70fc7bc2a6cf2a5906cde006a547fdcc2e641f935d0ba89423668851d0837e06358650463e078d5b9dcb