Malware Analysis Report

2024-10-10 12:53

Sample ID 240601-exbtvahf9v
Target 8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe
SHA256 8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710

Threat Level: Known bad

The file 8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DCRat payload

DcRat

Dcrat family

Process spawned unexpected child process

UAC bypass

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

System policy modification

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:18

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:18

Reported

2024-06-01 04:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\lsm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Office\lsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\lsm.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\RCX3593.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX3806.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files (x86)\Microsoft Office\lsm.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240 C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\RCX3594.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX3798.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files (x86)\Microsoft Office\101b941d020240 C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\ScanFile\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ScanFile\RCX3A77.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ScanFile\RCX3AE5.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ScanFile\Idle.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Windows\SoftwareDistribution\ScanFile\Idle.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Office\lsm.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Office\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe

"C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tBXRfF9SP5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft Office\lsm.exe

"C:\Program Files (x86)\Microsoft Office\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0982032.xsph.ru udp
RU 141.8.197.42:80 a0982032.xsph.ru tcp
RU 141.8.197.42:80 a0982032.xsph.ru tcp

Files

memory/2476-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

memory/2476-1-0x0000000000250000-0x00000000003DC000-memory.dmp

memory/2476-2-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

memory/2476-3-0x0000000000470000-0x000000000048C000-memory.dmp

memory/2476-4-0x0000000000240000-0x0000000000250000-memory.dmp

memory/2476-6-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2476-5-0x0000000000520000-0x0000000000536000-memory.dmp

memory/2476-7-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2476-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2476-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2476-10-0x0000000000860000-0x0000000000868000-memory.dmp

memory/2476-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/2476-11-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2476-13-0x0000000002250000-0x000000000225A000-memory.dmp

memory/2476-14-0x0000000002260000-0x000000000226C000-memory.dmp

C:\Program Files (x86)\Microsoft Office\lsm.exe

MD5 0a32536cc1d5e2a35d7d289b4ff0e76b
SHA1 98736b0b5a6f3709f81365c9e6477819074c3170
SHA256 8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710
SHA512 b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73

C:\Windows\SoftwareDistribution\ScanFile\Idle.exe

MD5 2060d49ecffcd032fd086452b48c6b21
SHA1 3a5f4f1717cd86454a5ae58b79e8632f986bbdef
SHA256 ca7eea9e5a40e91bc7b988068a66a971b6a61822d9bba2a35eeacfc042204c8a
SHA512 652463ed82e32ae2aa10c5e9a44cfdb21d1511f59d7be8f783fc9ebd95283b109cd58a4a8a926a5cbac410de964b7de9bae41c69b0b23f75d1225c43c2e5e8d9

C:\MSOCache\All Users\RCX3D09.tmp

MD5 bf164fec3cd078761a70462be31050fb
SHA1 48ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2
SHA256 1d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173
SHA512 fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b

memory/2476-78-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tBXRfF9SP5.bat

MD5 c1d6a457ddb31975558fcc6800009e01
SHA1 f5befa0a09cf93d291dc3f1fb507474697d07af8
SHA256 5db43825b676e7531b89d8a674dd7ecb92a142d25ba9a3d0f881f44ad42c0ab0
SHA512 29fc755c0f03c6fab862dcdede4bc8d4de4e564189fc0477578afb2962bff88eacd60a271d12251919b819296798ab05ed178ee28c3a9c58a1987b4938a998ce

memory/1616-82-0x0000000000D10000-0x0000000000E9C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:18

Reported

2024-06-01 04:21

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default User\upfc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\upfc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\RCX6487.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\RCX5566.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCX6488.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX6719.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\System.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX67A6.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\System.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\ModifiableWindowsApps\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\RCX5565.tmp C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\upfc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\upfc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe

"C:\Users\Admin\AppData\Local\Temp\8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Users\Default User\upfc.exe

"C:\Users\Default User\upfc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 a0982032.xsph.ru udp
RU 141.8.197.42:80 a0982032.xsph.ru tcp
RU 141.8.197.42:80 a0982032.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/1448-0-0x00007FFBF4693000-0x00007FFBF4695000-memory.dmp

memory/1448-1-0x0000000000ED0000-0x000000000105C000-memory.dmp

memory/1448-2-0x00007FFBF4690000-0x00007FFBF5151000-memory.dmp

memory/1448-3-0x000000001BC50000-0x000000001BC6C000-memory.dmp

memory/1448-7-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

memory/1448-6-0x000000001BC80000-0x000000001BC96000-memory.dmp

memory/1448-5-0x000000001BC70000-0x000000001BC80000-memory.dmp

memory/1448-4-0x000000001BE10000-0x000000001BE60000-memory.dmp

memory/1448-8-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

memory/1448-9-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

memory/1448-10-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

memory/1448-13-0x000000001BE60000-0x000000001BE6C000-memory.dmp

memory/1448-12-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

memory/1448-11-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

memory/1448-15-0x000000001BE80000-0x000000001BE8C000-memory.dmp

memory/1448-14-0x000000001BE70000-0x000000001BE7A000-memory.dmp

C:\Users\Default\TextInputHost.exe

MD5 0a32536cc1d5e2a35d7d289b4ff0e76b
SHA1 98736b0b5a6f3709f81365c9e6477819074c3170
SHA256 8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710
SHA512 b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73

C:\Recovery\WindowsRE\RCX577B.tmp

MD5 bf164fec3cd078761a70462be31050fb
SHA1 48ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2
SHA256 1d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173
SHA512 fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 5efbffe52adea51f20826dee8c91644d
SHA1 29f7c42e014a5cf7a5bf8d3cba18e783d5bb15be
SHA256 7b7ec69bc29e8c9df47ecc0120a24b95a555a70b60a58b6cc1279b332da9a033
SHA512 c777f5254f6e26b0fcbcc00c24905c898609762b16be5bec00e1c85137c5642fc5015f0f678aeb7402291ea8283f07ab4533c4fbc6ffdb1312c76298e8ffdd07

memory/1448-233-0x00007FFBF4690000-0x00007FFBF5151000-memory.dmp