Malware Analysis Report

2024-10-10 12:55

Sample ID 240531-rphcwabb9t
Target a65ef974cf4bc255d44fa7ab8acddf50.exe
SHA256 17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2

Threat Level: Known bad

The file a65ef974cf4bc255d44fa7ab8acddf50.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 14:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 14:21

Reported

2024-05-31 14:24

Platform

win7-20240215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\spoolsv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\ece3b9136ae8fd C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Google\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Google\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Program Files (x86)\Google\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe

"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50a" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50a" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z86xEElT71.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Google\spoolsv.exe

"C:\Program Files (x86)\Google\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0986754.xsph.ru udp
RU 141.8.192.103:80 a0986754.xsph.ru tcp

Files

memory/1756-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

memory/1756-1-0x00000000008F0000-0x0000000000A0A000-memory.dmp

memory/1756-2-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/1756-3-0x00000000005D0000-0x00000000005EC000-memory.dmp

memory/1756-4-0x00000000005F0000-0x0000000000602000-memory.dmp

C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe

MD5 a65ef974cf4bc255d44fa7ab8acddf50
SHA1 dfbf0babf43166796c2f5cef62742e9bfc00c55b
SHA256 17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
SHA512 18bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc

C:\Users\Admin\AppData\Local\Temp\Z86xEElT71.bat

MD5 8c9048dcb1e212b68cb9aaeeb55f4961
SHA1 0002adaaf8ea0bc7ba12da9b18540cca3c689878
SHA256 10b95c08834aaaca2a6f69b4385e4ea72a69514487a1cb901da3731400908857
SHA512 1c0111b7f1fa9162347bea3b00a8875a140ca87ed7171ce36ed38a351e4e18cad673000d4d89bbc97e8dd68e226047418645020708ca0964086b4f34e8e0d1d1

memory/1756-20-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/1988-23-0x0000000000150000-0x000000000026A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 14:21

Reported

2024-05-31 14:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Microsoft\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Microsoft\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\System.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\twain_32\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\appcompat\encapsulation\explorer.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\Downloaded Program Files\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\Downloaded Program Files\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\PrintDialog\pris\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\twain_32\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File opened for modification C:\Windows\appcompat\encapsulation\explorer.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\appcompat\encapsulation\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\Fonts\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
File created C:\Windows\PrintDialog\pris\System.exe C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe

"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\encapsulation\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\pris\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\pris\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPrqJdYU34.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\taskhostw.exe

"C:\Recovery\WindowsRE\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 a0986754.xsph.ru udp
RU 141.8.192.103:80 a0986754.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/912-0-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmp

memory/912-1-0x00000000001E0000-0x00000000002FA000-memory.dmp

memory/912-2-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

memory/912-3-0x0000000002410000-0x000000000242C000-memory.dmp

memory/912-5-0x0000000002430000-0x0000000002442000-memory.dmp

memory/912-4-0x000000001AFB0000-0x000000001B000000-memory.dmp

memory/912-6-0x000000001BB90000-0x000000001C0B8000-memory.dmp

C:\ProgramData\explorer.exe

MD5 a65ef974cf4bc255d44fa7ab8acddf50
SHA1 dfbf0babf43166796c2f5cef62742e9bfc00c55b
SHA256 17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
SHA512 18bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc

memory/912-44-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UPrqJdYU34.bat

MD5 48f5d9785168984b4438df9c6ba65741
SHA1 cd111b19e68b76d9159cf3e6875a2de153f2e817
SHA256 bcbe4b39f07e243a8aba71418ec39991746ae208bbc969ce7ee0564a9bba1413
SHA512 c5f738f424bcbf62902915c1ac13005e00a585ce3e343378e9d102129c738a79f57264c3fe7c746cad07a0bf2a182f001d6911cdb70e37fc4383230cd44e55f3