Malware Analysis Report

2024-11-13 13:43

Sample ID 240516-fgtkdscf8t
Target 526153CBD86009228AD53CD262A9C6B3.exe
SHA256 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
Tags
rat dcrat infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

Threat Level: Known bad

The file 526153CBD86009228AD53CD262A9C6B3.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer spyware stealer

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:51

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:51

Reported

2024-05-16 04:53

Platform

win7-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\es\audiodg.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\System32\es\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\MSBuild\Microsoft\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\MSBuild\Microsoft\explorer.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\MSBuild\Microsoft\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\MSBuild\Microsoft\services.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\Windows Sidebar\it-IT\lsass.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\Windows Sidebar\it-IT\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\security\database\Idle.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\security\database\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\servicing\System.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\it-IT\audiodg.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe C:\Windows\System32\cmd.exe
PID 1868 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe C:\Windows\System32\cmd.exe
PID 1868 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
PID 1508 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
PID 1508 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
PID 2712 wrote to memory of 2772 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2772 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2772 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2148 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2148 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 2148 N/A C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe

"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\es\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\es\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\es\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\database\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\database\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\database\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H6YNKoNS9r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e8c74d4-a5ed-42d9-a1d3-ecaa7287adf0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ce340bf-9d5b-42a4-8fe3-251aebebd64b.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.145.225:80 aery-messages.000webhostapp.com tcp
US 145.14.145.225:80 aery-messages.000webhostapp.com tcp
US 145.14.145.225:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.144.97:80 aery-messages.000webhostapp.com tcp
US 145.14.144.97:80 aery-messages.000webhostapp.com tcp
US 145.14.144.97:80 aery-messages.000webhostapp.com tcp

Files

memory/1868-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

memory/1868-1-0x00000000001E0000-0x0000000000456000-memory.dmp

memory/1868-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

memory/1868-3-0x0000000000140000-0x000000000015C000-memory.dmp

memory/1868-4-0x0000000000160000-0x0000000000168000-memory.dmp

memory/1868-5-0x0000000000180000-0x0000000000196000-memory.dmp

memory/1868-6-0x0000000002220000-0x0000000002276000-memory.dmp

memory/1868-7-0x00000000001A0000-0x00000000001AC000-memory.dmp

memory/1868-8-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/1868-9-0x0000000000460000-0x0000000000468000-memory.dmp

memory/1868-10-0x0000000000470000-0x000000000047A000-memory.dmp

memory/1868-11-0x0000000000480000-0x000000000048E000-memory.dmp

memory/1868-12-0x0000000000490000-0x000000000049C000-memory.dmp

C:\Program Files\Windows Sidebar\it-IT\lsass.exe

MD5 526153cbd86009228ad53cd262a9c6b3
SHA1 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

C:\Users\Admin\AppData\Local\Temp\H6YNKoNS9r.bat

MD5 a371de180c054baca52bd08db4bd087c
SHA1 7a96be45c846b11facc23c24fbd60a305608bd53
SHA256 a81447731aa8081f824f65c84a20c27f48dfbf4dd47e2b5d12f5b393c4a819c5
SHA512 69843ed38defa592297f7318aa5d8c238591f955c4e30ff7d0c57e80d43c2f9352228a77d3b7110daeff64f590180fc58e17fd1de2a2acdf165db93da1341b4e

memory/1868-56-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

memory/2712-59-0x00000000008D0000-0x0000000000B46000-memory.dmp

memory/2712-60-0x0000000000590000-0x00000000005A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5e8c74d4-a5ed-42d9-a1d3-ecaa7287adf0.vbs

MD5 341a9599befc7b2c0a4f81d425d1da29
SHA1 eaf81be0f773bc36685b573877ea6d1ca1dd2684
SHA256 7fc1c13bf58e5f7e4be4c0dc266e44b87a7dc658d85cc2fd3132715a7763cc1e
SHA512 cd8622c90629e8d09db9b3638faebdd0e18c34e71c43bac09395ed09bee1ae8434a5d92edf92afd19a3a0d67755306c99c2db2dd2f7200b4da7a44a6985fa01d

C:\Users\Admin\AppData\Local\Temp\2ce340bf-9d5b-42a4-8fe3-251aebebd64b.vbs

MD5 a185c42cd56f89a902a7308dec75a0b4
SHA1 78a109b4f8454be5b5b0724f84a3589d65870a75
SHA256 9bc9cecb9de2dd74467f249aab427145b4eef0be53a881685f1c10106ef0023c
SHA512 5dcbcecff9112ad7361c1674d8bfe89218ff0bef40988d7d6c817376e9ef9fd03612a747b8a47293b418acd76584ba8bf6cbe3f620915a574041c264bb02b208

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:51

Reported

2024-05-16 04:53

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\dllhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\Mozilla Firefox\lsass.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\Mozilla Firefox\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DiagTrack\lsass.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\DiagTrack\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\PLA\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
File created C:\Windows\PLA\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe

"C:\Users\Admin\AppData\Local\Temp\526153CBD86009228AD53CD262A9C6B3.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.144.88:80 aery-messages.000webhostapp.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 145.14.144.88:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 145.14.144.88:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.144.104:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 104.144.14.145.in-addr.arpa udp
US 145.14.144.104:80 aery-messages.000webhostapp.com tcp
US 145.14.144.104:80 aery-messages.000webhostapp.com tcp
US 145.14.144.104:80 aery-messages.000webhostapp.com tcp

Files

memory/2032-0-0x00007FFB32EF3000-0x00007FFB32EF5000-memory.dmp

memory/2032-1-0x0000000000190000-0x0000000000406000-memory.dmp

memory/2032-2-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp

memory/2032-3-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

memory/2032-4-0x00000000026F0000-0x0000000002740000-memory.dmp

memory/2032-7-0x0000000002570000-0x00000000025C6000-memory.dmp

memory/2032-6-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2032-5-0x0000000000B50000-0x0000000000B58000-memory.dmp

memory/2032-8-0x00000000025C0000-0x00000000025CC000-memory.dmp

memory/2032-9-0x00000000025D0000-0x00000000025E2000-memory.dmp

memory/2032-10-0x000000001C0E0000-0x000000001C608000-memory.dmp

memory/2032-11-0x0000000002760000-0x0000000002768000-memory.dmp

memory/2032-13-0x000000001B160000-0x000000001B16E000-memory.dmp

memory/2032-14-0x000000001B170000-0x000000001B17C000-memory.dmp

memory/2032-12-0x000000001B150000-0x000000001B15A000-memory.dmp

C:\Program Files\Windows Photo Viewer\ja-JP\upfc.exe

MD5 526153cbd86009228ad53cd262a9c6b3
SHA1 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

memory/2032-44-0x00007FFB32EF0000-0x00007FFB339B1000-memory.dmp

memory/2160-45-0x000000001B840000-0x000000001B852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\755249da-4526-41d8-a065-4c340cdfef29.vbs

MD5 8639b865a655e634a8ac101667ca27f2
SHA1 9b956668bce1e13694f12a0ae4c99aac461449a9
SHA256 945c11447fa6dd6f1cfb903039a40d954427359e522ed38e28d189bd60e13736
SHA512 883e60e8295a07b7734a3408ecd2dfb568a79d9450cc85868dc9596257db4db87ceec12900b127e1cfdb2fcf8663a5a64eba235653e8f1be75362da9c90be044

C:\Users\Admin\AppData\Local\Temp\e9458e87-3fd5-46c9-b7e4-7375f630a4f6.vbs

MD5 2ebedb5c507ba00c6edd4888940e2a8b
SHA1 16cda38cfff9e043c17b086efd82db85b3eeb25e
SHA256 0b5b8bce363126144965824542c5de8c5024e6c728c3c163842bb0313e7d94bf
SHA512 fbd9efad128ee5dd8ef62cf0425a2726c709bbf4005711c114d8bdc6e7590da64aa80d546426a61c88c533728cef53598745bb1114cbb937f937db1c873db4be