Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-hjlzfage6s
Target 5D474E6A5232B3D3DD5576111A2B22A1.exe
SHA256 942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc
Tags
dcrat evasion infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc

Threat Level: Known bad

The file 5D474E6A5232B3D3DD5576111A2B22A1.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat spyware stealer trojan

UAC bypass

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 06:46

Reported

2024-05-16 06:48

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3008 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3008 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3008 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2444 wrote to memory of 892 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 892 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 892 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 892 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 892 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 1684 wrote to memory of 2496 N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe C:\Windows\System32\cmd.exe
PID 1684 wrote to memory of 2496 N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe C:\Windows\System32\cmd.exe
PID 1684 wrote to memory of 2496 N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe C:\Windows\System32\cmd.exe
PID 2496 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2496 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2496 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2496 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe
PID 2496 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe
PID 2496 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe
PID 2680 wrote to memory of 1812 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 1812 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 1812 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 2572 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 2572 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 2572 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe

"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "

C:\surrogatedriverbroker\runtimeDhcpCommon.exe

"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\surrogatedriverbroker\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\surrogatedriverbroker\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\surrogatedriverbroker\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\surrogatedriverbroker\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wEAw5fePeK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdde1f05-25f0-4f3b-8286-a67ed628be8b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc21b449-0c5d-46d5-b20e-b84948135605.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0981474.xsph.ru udp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
RU 141.8.194.149:80 a0981474.xsph.ru tcp

Files

memory/3008-0-0x0000000000400000-0x0000000000C6C000-memory.dmp

memory/2668-6-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/3008-5-0x0000000004050000-0x0000000004052000-memory.dmp

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 d26ea8a9103b82d0e4f80b687f0c1adc
SHA1 811bc8c8b6fcca69882e483ed0d59d45e7851f1a
SHA256 50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5
SHA512 68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e

C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe

MD5 d9095993dc975aad0602ba66b32dad3d
SHA1 8c26fd1ad732827301e5af7de044420f0c06fbbe
SHA256 3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e
SHA512 2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a

C:\surrogatedriverbroker\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico

MD5 18cc2b457a795b627b37dda9cfd355c5
SHA1 5778d3f45a662a681788e16426afdd266707f672
SHA256 c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1
SHA512 cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d

C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat

MD5 85cfb82d14d95349f280e53f0764fbfc
SHA1 645a8f36343a8e4b88966ab70a4a24f49b9ca2b9
SHA256 3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371
SHA512 02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8

\surrogatedriverbroker\runtimeDhcpCommon.exe

MD5 dc167730759f4877ed79888e1f365249
SHA1 5ce03602609fa90f26b3a6774519c006a9c20bf6
SHA256 0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316
SHA512 d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b

memory/1684-34-0x0000000001210000-0x000000000157A000-memory.dmp

memory/1684-35-0x0000000000580000-0x000000000058E000-memory.dmp

memory/1684-36-0x0000000000590000-0x000000000059E000-memory.dmp

memory/1684-37-0x00000000005A0000-0x00000000005A8000-memory.dmp

memory/1684-38-0x0000000000A70000-0x0000000000A8C000-memory.dmp

memory/1684-39-0x00000000005B0000-0x00000000005B8000-memory.dmp

memory/1684-40-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/1684-41-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/1684-42-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/1684-43-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/1684-44-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

memory/1684-45-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/1684-46-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/1684-47-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/1684-48-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

memory/1684-49-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

memory/1684-50-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/1684-51-0x0000000000D70000-0x0000000000D7C000-memory.dmp

memory/1684-52-0x0000000000D80000-0x0000000000D88000-memory.dmp

memory/1684-53-0x000000001AA90000-0x000000001AAA2000-memory.dmp

memory/1684-54-0x000000001AAC0000-0x000000001AACC000-memory.dmp

memory/1684-55-0x000000001AAD0000-0x000000001AADC000-memory.dmp

memory/1684-56-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

memory/1684-57-0x000000001AB70000-0x000000001AB7C000-memory.dmp

memory/1684-58-0x000000001AB80000-0x000000001AB8C000-memory.dmp

memory/1684-59-0x000000001AB90000-0x000000001AB98000-memory.dmp

memory/1684-60-0x000000001ABA0000-0x000000001ABAC000-memory.dmp

memory/1684-61-0x000000001ABB0000-0x000000001ABBA000-memory.dmp

memory/1684-62-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

memory/1684-63-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

memory/1684-64-0x000000001ABE0000-0x000000001ABEE000-memory.dmp

memory/1684-65-0x000000001ABF0000-0x000000001ABF8000-memory.dmp

memory/1684-66-0x000000001AC00000-0x000000001AC0C000-memory.dmp

memory/1684-67-0x000000001AC10000-0x000000001AC18000-memory.dmp

memory/1684-68-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

memory/1684-69-0x000000001B000000-0x000000001B00C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wEAw5fePeK.bat

MD5 c917e531752b5b07a1c347de12a08364
SHA1 758e058e83718803e55b77ef435483adbbe3ddfd
SHA256 58d5500f03873d1903839047ac576934e33a539dadaaeb67e42b9d018ce15ed1
SHA512 0d9e661bbdc7b41061cbc7830af192bf2404ae2dc6ec1d340d0033de87ca8cf0e4dbb62ca286b785c12419390d66a858a1e30318d562b945333f3c1ba591f771

memory/2680-99-0x0000000000E20000-0x000000000118A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fdde1f05-25f0-4f3b-8286-a67ed628be8b.vbs

MD5 60ee6fdffdfbf1c445f6a990edbd6ac6
SHA1 9fc056698afe56ffe76996072d0a47fc90f2b9c4
SHA256 561f451479dd8e03813a9c8b3988afa10290b87f14c4e64ebb83c8af83fea29a
SHA512 f106a35af15a706412247f6c7ee2c93bcbc50bf8caa942a33dfe06a31e5828d3138034577384aefa4253c35909ecc199424828140522ae0b536995ca53c7ab19

C:\Users\Admin\AppData\Local\Temp\cc21b449-0c5d-46d5-b20e-b84948135605.vbs

MD5 5e7ecb8756527036eadb12a07fe7919c
SHA1 38f20ec0ed2cf1816f9009d15e6ac8b2c08f590d
SHA256 1f42c9faa1e8296c4d047969e4c3df52fd9e455cac491d484706bd3459bdbe9b
SHA512 8d607b858d47ccafb1f2054a8d6603d83b1f24e91e09f66f9039f89f14903cdd45dbdf29ac80403f1d41cbeee1491bf82165bc89e33fd2b22f133f633eaef91b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 06:46

Reported

2024-05-16 06:48

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\e1ef82546f0b02 C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\61a52ddc9dd915 C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\29c1c3cc0f7685 C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\e1ef82546f0b02 C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\servicing\RuntimeBroker.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
File created C:\Windows\Panther\actionqueue\1f93f77a7f4778 C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2236 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2236 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3612 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3612 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3612 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4592 wrote to memory of 5000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 5000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 5000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 5000 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatedriverbroker\runtimeDhcpCommon.exe
PID 1884 wrote to memory of 116 N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 1884 wrote to memory of 116 N/A C:\surrogatedriverbroker\runtimeDhcpCommon.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 116 wrote to memory of 2168 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 116 wrote to memory of 2168 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 116 wrote to memory of 3884 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 116 wrote to memory of 3884 N/A C:\Recovery\WindowsRE\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\surrogatedriverbroker\runtimeDhcpCommon.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe

"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "

C:\surrogatedriverbroker\runtimeDhcpCommon.exe

"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\RuntimeBroker.exe

"C:\Recovery\WindowsRE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5818b527-3acb-4b64-87cd-c66639d6b2bc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2055f3-e164-4113-b290-2f1dbd3e7d8f.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 a0981474.xsph.ru udp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
US 8.8.8.8:53 149.194.8.141.in-addr.arpa udp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 141.8.194.149:80 a0981474.xsph.ru tcp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

memory/2236-0-0x0000000000400000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\New Project 1.exe

MD5 bba499baa7c430d4f0bac0b231e75b82
SHA1 743a8a70bae9478061103d668b0d000371fd1840
SHA256 418b1fb225defe29d9605e560757d93048210818c49dce49f62a1f7f5e02f2fc
SHA512 17c745b9919405a6243564b7f44c7b9e3ae586dec6a2947572072b2c45a65e020cbcaf54f0761393cf088f7f4006492cda22ae3e9d19d416fd35a66f49e6cdeb

C:\Users\Admin\AppData\Local\Temp\channels4_profile.ico

MD5 18cc2b457a795b627b37dda9cfd355c5
SHA1 5778d3f45a662a681788e16426afdd266707f672
SHA256 c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1
SHA512 cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 d26ea8a9103b82d0e4f80b687f0c1adc
SHA1 811bc8c8b6fcca69882e483ed0d59d45e7851f1a
SHA256 50548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5
SHA512 68583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e

C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe

MD5 d9095993dc975aad0602ba66b32dad3d
SHA1 8c26fd1ad732827301e5af7de044420f0c06fbbe
SHA256 3329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e
SHA512 2c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a

C:\surrogatedriverbroker\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat

MD5 85cfb82d14d95349f280e53f0764fbfc
SHA1 645a8f36343a8e4b88966ab70a4a24f49b9ca2b9
SHA256 3628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371
SHA512 02cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8

C:\surrogatedriverbroker\runtimeDhcpCommon.exe

MD5 dc167730759f4877ed79888e1f365249
SHA1 5ce03602609fa90f26b3a6774519c006a9c20bf6
SHA256 0704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316
SHA512 d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b

memory/1884-114-0x00000000007C0000-0x0000000000B2A000-memory.dmp

memory/1884-115-0x0000000002E50000-0x0000000002E5E000-memory.dmp

memory/1884-116-0x0000000002E00000-0x0000000002E0E000-memory.dmp

memory/1884-117-0x0000000002E10000-0x0000000002E18000-memory.dmp

memory/1884-118-0x0000000002E20000-0x0000000002E3C000-memory.dmp

memory/1884-119-0x000000001BE30000-0x000000001BE80000-memory.dmp

memory/1884-121-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/1884-120-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/1884-123-0x000000001B770000-0x000000001B778000-memory.dmp

memory/1884-124-0x000000001B780000-0x000000001B792000-memory.dmp

memory/1884-122-0x000000001B750000-0x000000001B766000-memory.dmp

memory/1884-125-0x000000001B790000-0x000000001B79C000-memory.dmp

memory/1884-126-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

memory/1884-127-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

memory/1884-128-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

memory/1884-129-0x000000001BF80000-0x000000001BFD6000-memory.dmp

memory/1884-130-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

memory/1884-131-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

memory/1884-132-0x000000001B800000-0x000000001B80C000-memory.dmp

memory/1884-133-0x000000001B810000-0x000000001B818000-memory.dmp

memory/1884-134-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

memory/1884-135-0x000000001C530000-0x000000001CA58000-memory.dmp

memory/1884-136-0x000000001C000000-0x000000001C00C000-memory.dmp

memory/1884-137-0x000000001C010000-0x000000001C01C000-memory.dmp

memory/1884-138-0x000000001C020000-0x000000001C028000-memory.dmp

memory/1884-139-0x000000001C030000-0x000000001C03C000-memory.dmp

memory/1884-140-0x000000001C040000-0x000000001C04C000-memory.dmp

memory/1884-142-0x000000001C260000-0x000000001C26C000-memory.dmp

memory/1884-141-0x000000001C250000-0x000000001C258000-memory.dmp

memory/1884-143-0x000000001C270000-0x000000001C27A000-memory.dmp

memory/1884-146-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

memory/1884-145-0x000000001C290000-0x000000001C298000-memory.dmp

memory/1884-148-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

memory/1884-147-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

memory/1884-149-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

memory/1884-144-0x000000001C280000-0x000000001C28E000-memory.dmp

memory/1884-151-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

memory/1884-150-0x000000001C2E0000-0x000000001C2EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de2055f3-e164-4113-b290-2f1dbd3e7d8f.vbs

MD5 3140200c003251e08c20020e1a2c02f1
SHA1 aff58ce17aceb2d23942b4e10bc57213a2bc78b4
SHA256 2e2f7e09d19bc15153ede1505b4f66f62cf620534112ebea6ea065745b60db89
SHA512 e66a19cb49a1f7f4841a90a2dfde172a0c0c00d559b3c007b69d30cd09861185c0bff45a1182d1b8cb873f8d1ebebe2c5fa01b5884d34a416c9b64d3f74a6a47

C:\Users\Admin\AppData\Local\Temp\5818b527-3acb-4b64-87cd-c66639d6b2bc.vbs

MD5 4e15524f8b033743777c8e4ad4dc52d2
SHA1 0a68acee4cb664c216d29ab53608a5ade93d1c2d
SHA256 cfadfce390c151520a2169937ad25950549a673c50f56fb7aedd04c495d5cd9c
SHA512 82a4f47dd0acb933fc90be1ddbc740bbc74fcaada74fca0a49730a2f6ffb913447ca881d281a433422103db50644280e87ec88d4904cdfeb69031cd603fdd2b7

memory/116-194-0x000000001F160000-0x000000001F322000-memory.dmp