Malware Analysis Report

2024-10-10 12:50

Sample ID 240602-kcw7yagg55
Target test.exe
SHA256 e6f5a22e02d955d98c78d0c327071b908e17b033be56a979f1350d24b399f0d7
Tags
rat dcrat infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6f5a22e02d955d98c78d0c327071b908e17b033be56a979f1350d24b399f0d7

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer spyware stealer

DCRat payload

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 08:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 08:27

Reported

2024-06-02 08:30

Platform

win7-20240508-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\audiodg.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Windows NT\42af1c969fbb7b C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\dwm.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\6cb0b6c459d5d3 C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Google\Temp\smss.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Google\Temp\69ddcba757bf72 C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\b75386f1303e64 C:\webPerf\bridgeBrokerdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\b75386f1303e64 C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Windows\ja-JP\bridgeBrokerdll.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Windows\ja-JP\c07022305ee943 C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Windows\Migration\WTR\taskhost.exe C:\webPerf\bridgeBrokerdll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\webPerf\bridgeBrokerdll.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 2104 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 2104 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 2104 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 2064 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\webPerf\bridgeBrokerdll.exe
PID 2724 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\webPerf\bridgeBrokerdll.exe
PID 2724 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\webPerf\bridgeBrokerdll.exe
PID 2724 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\webPerf\bridgeBrokerdll.exe
PID 2768 wrote to memory of 2140 N/A C:\webPerf\bridgeBrokerdll.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2140 N/A C:\webPerf\bridgeBrokerdll.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2140 N/A C:\webPerf\bridgeBrokerdll.exe C:\Windows\System32\cmd.exe
PID 2140 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2140 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2140 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2140 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe
PID 2140 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe
PID 2140 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\webPerf\5rLin3I.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\webPerf\d7F5DOi3xKe.bat" "

C:\webPerf\bridgeBrokerdll.exe

"C:\webPerf\bridgeBrokerdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdllb" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\bridgeBrokerdll.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdll" /sc ONLOGON /tr "'C:\Windows\ja-JP\bridgeBrokerdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdllb" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\bridgeBrokerdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdllb" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeBrokerdll.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdll" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeBrokerdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeBrokerdllb" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeBrokerdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\webPerf\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\webPerf\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\webPerf\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\webPerf\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\webPerf\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\webPerf\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7rM7cVVMQQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0990550.xsph.ru udp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp

Files

C:\webPerf\5rLin3I.vbe

MD5 0e2aadd984b718c4f288f94f542c1b44
SHA1 e9c8c6401a607ad381a8807d7bc608c0067fc648
SHA256 57258478161967ccc2d23a604df94f05a05bb6556e703ffd13638aba179c0e96
SHA512 a3c172c0b7c49d8b65cbe2c4ba13a64a01fdb3289f0368f631c3db0eee904a952b42a5c01b53433432546c7e772b3e3e07231429abe695a788a2d53bcac5d0b3

C:\webPerf\d7F5DOi3xKe.bat

MD5 fee196a7842136f3575348c84982f5fd
SHA1 69a3b54b98ece770cea630a09afdd4b6344e8aeb
SHA256 8e1c3865bf42ea64999893d389632b236f0b660258eeba7268ee1ad8392c3b18
SHA512 73f3f330c916a1e723a5fe40931b18c461ddb45d3497c23655b97185c63107f6176647a12d74d7ecb240593080bb98d12d4b181d21b32c61ef005031f86681da

\webPerf\bridgeBrokerdll.exe

MD5 00896907be62c906323fc1eb97f24558
SHA1 9936310477ffd10b0f76b66d93e2e0b99d3fcecb
SHA256 9ae1999485774e4b008429ce2325f054276b758c7f6dccd559ecc800d135e55e
SHA512 ee8b6e121c6154bea76eac1f7d93c3b951570c03099bc60de66e8da03dd86f6a563d6fa6f5d552fc9c62350683c72241f3445399e2ff0e88dda1ed68b60267b0

memory/2768-13-0x00000000008F0000-0x0000000000A22000-memory.dmp

memory/2768-14-0x0000000000540000-0x000000000055C000-memory.dmp

memory/2768-15-0x0000000000560000-0x0000000000576000-memory.dmp

memory/2768-16-0x0000000000580000-0x000000000058C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7rM7cVVMQQ.bat

MD5 d6ba8acf6ed848065a576bcd6b064f33
SHA1 0c858a0bee0b50c229e9c09a8896be4bc33520b7
SHA256 e8b0e8fa32de6d6086401360e6f7915d25848dce6b5e9fcb3775383b0c9c14d7
SHA512 170a0314f53fd933bce8d8ebc55cc583ee572c682e07beeb61723daa7b07cd7f8b31381045dd5c0214abd25b81fb9c89de5576660953e0ac88dc860bff607849

memory/2084-54-0x0000000001370000-0x00000000014A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 08:27

Reported

2024-06-02 08:30

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\webPerf\bridgeBrokerdll.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\webPerf\bridgeBrokerdll.exe N/A
N/A N/A C:\Users\Admin\Videos\SppExtComObj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\DESIGNER\services.exe C:\webPerf\bridgeBrokerdll.exe N/A
File created C:\Program Files\Common Files\DESIGNER\c5b4cb5e9653cc C:\webPerf\bridgeBrokerdll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\webPerf\bridgeBrokerdll.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Videos\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\webPerf\bridgeBrokerdll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Videos\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\webPerf\5rLin3I.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\webPerf\d7F5DOi3xKe.bat" "

C:\webPerf\bridgeBrokerdll.exe

"C:\webPerf\bridgeBrokerdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\webPerf\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\webPerf\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\webPerf\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Videos\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\webPerf\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\webPerf\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\webPerf\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7WJUieq5t9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\Videos\SppExtComObj.exe

"C:\Users\Admin\Videos\SppExtComObj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 a0990550.xsph.ru udp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 141.8.192.103:80 a0990550.xsph.ru tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.103:80 a0990550.xsph.ru tcp

Files

C:\webPerf\5rLin3I.vbe

MD5 0e2aadd984b718c4f288f94f542c1b44
SHA1 e9c8c6401a607ad381a8807d7bc608c0067fc648
SHA256 57258478161967ccc2d23a604df94f05a05bb6556e703ffd13638aba179c0e96
SHA512 a3c172c0b7c49d8b65cbe2c4ba13a64a01fdb3289f0368f631c3db0eee904a952b42a5c01b53433432546c7e772b3e3e07231429abe695a788a2d53bcac5d0b3

C:\webPerf\d7F5DOi3xKe.bat

MD5 fee196a7842136f3575348c84982f5fd
SHA1 69a3b54b98ece770cea630a09afdd4b6344e8aeb
SHA256 8e1c3865bf42ea64999893d389632b236f0b660258eeba7268ee1ad8392c3b18
SHA512 73f3f330c916a1e723a5fe40931b18c461ddb45d3497c23655b97185c63107f6176647a12d74d7ecb240593080bb98d12d4b181d21b32c61ef005031f86681da

C:\webPerf\bridgeBrokerdll.exe

MD5 00896907be62c906323fc1eb97f24558
SHA1 9936310477ffd10b0f76b66d93e2e0b99d3fcecb
SHA256 9ae1999485774e4b008429ce2325f054276b758c7f6dccd559ecc800d135e55e
SHA512 ee8b6e121c6154bea76eac1f7d93c3b951570c03099bc60de66e8da03dd86f6a563d6fa6f5d552fc9c62350683c72241f3445399e2ff0e88dda1ed68b60267b0

memory/4204-12-0x00007FFCCB103000-0x00007FFCCB105000-memory.dmp

memory/4204-13-0x00000000006A0000-0x00000000007D2000-memory.dmp

memory/4204-17-0x00000000010B0000-0x00000000010BC000-memory.dmp

memory/4204-16-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/4204-15-0x000000001BB30000-0x000000001BB80000-memory.dmp

memory/4204-14-0x0000000002A20000-0x0000000002A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7WJUieq5t9.bat

MD5 4b6cfaa92d700f3d3f871bc2b22ed8ed
SHA1 23a4902f92a4e23d951390884b1a6313fabe3c35
SHA256 e5887c8a050679269dd361ce97ed2ceb48ed35d444c691bf7ed2aba79bf69ab6
SHA512 a6d9bf568819a298649330fa3f3f86955cb21a0bdde60d784f6bcf05dbc243f12c86649ae73a1b9589337dc7045a0938474b425772ad20fd5545b5a2c011cca3