dcrat | 3a25f273c5c69615a17a5e9764846b1f44d1ade939602ec4da7e81229f9cc955

General

Target

fixnoblackmail.exe
Size

1.2MB
MD5

990b093e34cd09a232f0e2228f3b126b
SHA1

a37a9b18ceb0f8bc6916cda25c851999d9859251
SHA256

3a25f273c5c69615a17a5e9764846b1f44d1ade939602ec4da7e81229f9cc955
SHA512

ebc2cd9e994fcce1a80259bbfc001d5700eaf035f6ee7ec5dd8d433fa4fa1899f7ffb3e52e0ba94de24beeae839574a6968387f72905a88d618e0222555f358a
SSDEEP

24576:ijn9b91W4uOh3hmm6CpJQeBolPwRq9gFgBOv5eQuBFidboDBg:a9jW4uuRm/G3BoOgBKruBMlo

Score

10^/10

dcrat xworm execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

rooms-belkin.gl.at.ply.gg:48066

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeContainerRuntime.exeschtasks.exeschtasks.exe

pid	process
1292	schtasks.exe
2168	schtasks.exe
2184	schtasks.exe
2828	powershell.exe
788	schtasks.exe
2748	schtasks.exe
768	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	ContainerRuntime.exe
984	schtasks.exe
2192	schtasks.exe
File created	C:\Windows\AppCompat\Programs\f3b6ecef712a24	ContainerRuntime.exe

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\vamicheatloader.exe	family_xworm
behavioral1/memory/2524-12-0x0000000000220000-0x000000000023A000-memory.dmp	family_xworm
behavioral1/memory/1748-75-0x0000000000AC0000-0x0000000000ADA000-memory.dmp	family_xworm

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2372	schtasks.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\antivirus.exe	dcrat
\hyperagentWebSession\ContainerRuntime.exe	dcrat
behavioral1/memory/2716-47-0x00000000009D0000-0x0000000000AB2000-memory.dmp	dcrat
behavioral1/memory/1664-66-0x0000000000060000-0x0000000000142000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2736	powershell.exe
1608	powershell.exe
1360	powershell.exe
2828	powershell.exe
1256	powershell.exe
1244	powershell.exe
868	powershell.exe
2568	powershell.exe

Drops startup file 4 IoCs

Processes:

vamicheatloader.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	vamicheatloader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 5 IoCs

Processes:

antivirus.exevamicheatloader.exeContainerRuntime.execsrss.exesvchost.exe

pid process

2960 antivirus.exe
2524 vamicheatloader.exe
2716 ContainerRuntime.exe
1664 csrss.exe
1748 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2136 cmd.exe
2136 cmd.exe

pid	process
2960	antivirus.exe
2524	vamicheatloader.exe
2716	ContainerRuntime.exe
1664	csrss.exe
1748	svchost.exe

pid	process
2136	cmd.exe
2136	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exevamicheatloader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	vamicheatloader.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

Processes:

ContainerRuntime.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	ContainerRuntime.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	ContainerRuntime.exe

Drops file in Windows directory 3 IoCs

Processes:

ContainerRuntime.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\f3b6ecef712a24	ContainerRuntime.exe
File created	C:\Windows\AppCompat\Programs\spoolsv.exe	ContainerRuntime.exe
File opened for modification	C:\Windows\AppCompat\Programs\spoolsv.exe	ContainerRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2748 schtasks.exe
768 schtasks.exe
1292 schtasks.exe
788 schtasks.exe
984 schtasks.exe
2168 schtasks.exe
2192 schtasks.exe
2184 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2852 timeout.exe

pid	process
2748	schtasks.exe
768	schtasks.exe
1292	schtasks.exe
788	schtasks.exe
984	schtasks.exe
2168	schtasks.exe
2192	schtasks.exe
2184	schtasks.exe

pid	process
2852	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exeContainerRuntime.exepowershell.execsrss.exevamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
2828	powershell.exe
1256	powershell.exe
1244	powershell.exe
2716	ContainerRuntime.exe
868	powershell.exe
1664	csrss.exe
2524	vamicheatloader.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
2568	powershell.exe
2736	powershell.exe
1608	powershell.exe
1360	powershell.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

1664 csrss.exe

pid	process
1664	csrss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

vamicheatloader.exepowershell.exepowershell.exepowershell.exeContainerRuntime.exepowershell.execsrss.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2524	vamicheatloader.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2716	ContainerRuntime.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1664	csrss.exe
Token: SeDebugPrivilege	2524	vamicheatloader.exe
Token: SeDebugPrivilege	1748	svchost.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1748	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vamicheatloader.exesvchost.exe

pid process

2524 vamicheatloader.exe
1748 svchost.exe

pid	process
2524	vamicheatloader.exe
1748	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fixnoblackmail.exeantivirus.exevamicheatloader.exeWScript.execmd.exeContainerRuntime.exetaskeng.execmd.exesvchost.exe

description	pid	process	target process
PID 2460 wrote to memory of 2960	2460	fixnoblackmail.exe	antivirus.exe
PID 2460 wrote to memory of 2960	2460	fixnoblackmail.exe	antivirus.exe
PID 2460 wrote to memory of 2960	2460	fixnoblackmail.exe	antivirus.exe
PID 2460 wrote to memory of 2960	2460	fixnoblackmail.exe	antivirus.exe
PID 2460 wrote to memory of 2524	2460	fixnoblackmail.exe	vamicheatloader.exe
PID 2460 wrote to memory of 2524	2460	fixnoblackmail.exe	vamicheatloader.exe
PID 2460 wrote to memory of 2524	2460	fixnoblackmail.exe	vamicheatloader.exe
PID 2960 wrote to memory of 2088	2960	antivirus.exe	WScript.exe
PID 2960 wrote to memory of 2088	2960	antivirus.exe	WScript.exe
PID 2960 wrote to memory of 2088	2960	antivirus.exe	WScript.exe
PID 2960 wrote to memory of 2088	2960	antivirus.exe	WScript.exe
PID 2524 wrote to memory of 2828	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 2828	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 2828	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1256	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1256	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1256	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1244	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1244	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 1244	2524	vamicheatloader.exe	powershell.exe
PID 2088 wrote to memory of 2136	2088	WScript.exe	cmd.exe
PID 2088 wrote to memory of 2136	2088	WScript.exe	cmd.exe
PID 2088 wrote to memory of 2136	2088	WScript.exe	cmd.exe
PID 2088 wrote to memory of 2136	2088	WScript.exe	cmd.exe
PID 2136 wrote to memory of 2716	2136	cmd.exe	ContainerRuntime.exe
PID 2136 wrote to memory of 2716	2136	cmd.exe	ContainerRuntime.exe
PID 2136 wrote to memory of 2716	2136	cmd.exe	ContainerRuntime.exe
PID 2136 wrote to memory of 2716	2136	cmd.exe	ContainerRuntime.exe
PID 2524 wrote to memory of 868	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 868	2524	vamicheatloader.exe	powershell.exe
PID 2524 wrote to memory of 868	2524	vamicheatloader.exe	powershell.exe
PID 2716 wrote to memory of 1664	2716	ContainerRuntime.exe	csrss.exe
PID 2716 wrote to memory of 1664	2716	ContainerRuntime.exe	csrss.exe
PID 2716 wrote to memory of 1664	2716	ContainerRuntime.exe	csrss.exe
PID 2524 wrote to memory of 788	2524	vamicheatloader.exe	schtasks.exe
PID 2524 wrote to memory of 788	2524	vamicheatloader.exe	schtasks.exe
PID 2524 wrote to memory of 788	2524	vamicheatloader.exe	schtasks.exe
PID 2728 wrote to memory of 1748	2728	taskeng.exe	svchost.exe
PID 2728 wrote to memory of 1748	2728	taskeng.exe	svchost.exe
PID 2728 wrote to memory of 1748	2728	taskeng.exe	svchost.exe
PID 2524 wrote to memory of 2856	2524	vamicheatloader.exe	schtasks.exe
PID 2524 wrote to memory of 2856	2524	vamicheatloader.exe	schtasks.exe
PID 2524 wrote to memory of 2856	2524	vamicheatloader.exe	schtasks.exe
PID 2524 wrote to memory of 888	2524	vamicheatloader.exe	cmd.exe
PID 2524 wrote to memory of 888	2524	vamicheatloader.exe	cmd.exe
PID 2524 wrote to memory of 888	2524	vamicheatloader.exe	cmd.exe
PID 888 wrote to memory of 2852	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 2852	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 2852	888	cmd.exe	timeout.exe
PID 1748 wrote to memory of 2568	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 2568	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 2568	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 2736	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 2736	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 2736	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1608	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1608	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1608	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1360	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1360	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 1360	1748	svchost.exe	powershell.exe
PID 1748 wrote to memory of 984	1748	svchost.exe	schtasks.exe
PID 1748 wrote to memory of 984	1748	svchost.exe	schtasks.exe
PID 1748 wrote to memory of 984	1748	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fixnoblackmail.exe
"C:\Users\Admin\AppData\Local\Temp\fixnoblackmail.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Roaming\antivirus.exe
"C:\Users\Admin\AppData\Roaming\antivirus.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hyperagentWebSession\Zb1jHmnmFVc9HP.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hyperagentWebSession\yuP5unmniJ9kfmlaGKdL27GgoApcI.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136

C:\hyperagentWebSession\ContainerRuntime.exe
"C:\hyperagentWebSession\ContainerRuntime.exe"
5⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe
"C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Roaming\vamicheatloader.exe
"C:\Users\Admin\AppData\Roaming\vamicheatloader.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vamicheatloader.exe'
3⤵
- DcRat
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:788

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
3⤵
PID:2856

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp98D6.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\taskeng.exe
taskeng.exe {2DBE0C8F-7BD8-4EF3-A0A9-919A5C3005D3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp98D6.tmp.bat

Filesize
164B

MD5
987a6c236230b55184a5a4ed5e0f6c91

SHA1
6ad60aebbc9d3af22b1fdcc2c548309c7d7057cc

SHA256
f048d53c0e193b74f1f86abe1524c9adb7d13c56b5035e57fdd48dc62006b1cd

SHA512
60dfb141e4526c528b6fec853a77f351c52d618bb765d9888ae7b29e82ab73d74e50b6167d8faf6a3c59492af325e1a3fa5194c509b368ac80b9bf8b24730541

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6FJCNJR3NLTJWAPSGD3B.temp

Filesize
7KB

MD5
d35e4ea26ff08c835c253b2a5c562009

SHA1
9b6ab34eda0fcb750a1e004fe00644c8b7693acc

SHA256
a5e9a51bb58f934a03e3d0f25b5c75df54b452bb04fb0d09a6a85a0408403cf8

SHA512
54868e9ef1f54af5df3e9a730b9aeb4f215dca0c3674aabede487511496db62d5c3e82eb3eac0cf05d9b82774432f82f25ebdec3af0ba8505b976d4413d161dd

Download Submit
C:\Users\Admin\AppData\Roaming\antivirus.exe

Filesize
1.2MB

MD5
7ede07ce5ef82a5930fd2da3b84a268a

SHA1
95629d6e699ac50645f655a22d9fdb3f64317088

SHA256
11a6c027d3beb5a7404dd344856d710761ab30601561cb7f401bcbbeff758fc9

SHA512
60451ae02a7be75b30ca099d51734731a97d095c8a16c3f4ce3746176ca5fd9993e1f5068ad32a551b406660fa319a0ac0a2eead4ddb8d1bd8382bbb87db7b7f

Download Submit
C:\Users\Admin\AppData\Roaming\vamicheatloader.exe

Filesize
77KB

MD5
b074da06d9857ac5261d62b2446774a4

SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e

SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

Download Submit
C:\hyperagentWebSession\Zb1jHmnmFVc9HP.vbe

Filesize
226B

MD5
0e4d9c16f89f0638a049d72ac22dc9fc

SHA1
efeffd5164b5295101a330c861d82657e3a3a00c

SHA256
a99a63bb00634e77e267410195fb98da4084206875dbd2bb6f89ae5a9358030f

SHA512
87539a1e28b5aef81d14653fb81c9f153fc7e69fb92967e38f867c8436f2d05751d86cfb8dd705697ed950b99bc73451ac5350058299121da40ce3bcb4f7e82a

Download Submit
C:\hyperagentWebSession\yuP5unmniJ9kfmlaGKdL27GgoApcI.bat

Filesize
46B

MD5
f4d4ecd293d644fbf8da9ce1a1888d53

SHA1
75133a217b7a0e9bb53b8825d3bae8269a90bd17

SHA256
4ec831b8a011a0df05c11c99af0ca887b47f70b0638588d32e7c2bec869ffff6

SHA512
b4c1219ee39f187117ebaac5a70e2bd536c9555342cdab874b553dddde528719e7ac59c51f8a42be567c032b1bf79a375856d05269905371b997793dc19f43a2

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\hyperagentWebSession\ContainerRuntime.exe

Filesize
877KB

MD5
5f06823c87329157368dc1bebbbc39ef

SHA1
3fc404f0511b687e5e997a4ec4209c81eef93195

SHA256
ced4800fdbfb4303f7f9d9566d2bee35368de23e7b6a6c58d39a19e6d5ef7d05

SHA512
fcd03d048f94767dc2ef73a5f8b428cc75c9f2c02da25cf697dab391232e00a8ba3a92779f382b5924e105cf5b938cc20071955f4ad1829fd7b4d1d643af8ff7

Download Submit
memory/868-57-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/868-56-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1256-34-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1256-35-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1664-66-0x0000000000060000-0x0000000000142000-memory.dmp

Filesize
904KB

Download
memory/1748-75-0x0000000000AC0000-0x0000000000ADA000-memory.dmp

Filesize
104KB

Download
memory/1748-113-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2460-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

Filesize
4KB

Download
memory/2460-1-0x0000000000910000-0x0000000000A56000-memory.dmp

Filesize
1.3MB

Download
memory/2524-86-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-22-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-12-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/2524-71-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-93-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-94-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2716-48-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2716-47-0x00000000009D0000-0x0000000000AB2000-memory.dmp

Filesize
904KB

Download
memory/2736-100-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2828-28-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2828-27-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads