Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-l284gaca73
Target RakBot1.rar
SHA256 bdd9a3dac356f98dac4c3d663cde81550fd6c5ba5b8a65f9db902cf11ce4a9f8
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdd9a3dac356f98dac4c3d663cde81550fd6c5ba5b8a65f9db902cf11ce4a9f8

Threat Level: Known bad

The file RakBot1.rar was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:02

Reported

2024-06-03 10:05

Platform

win7-20240215-en

Max time kernel

122s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\ja-JP\Idle.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\cc11b995f2a76d C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\services.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\cc11b995f2a76d C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows NT\Accessories\es-ES\cc11b995f2a76d C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\ebf1f9fa8afd6d C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows NT\Accessories\es-ES\winlogon.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\6ccacd8608530f C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\dwm.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File opened for modification C:\Windows\Tasks\dwm.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Tasks\6cb0b6c459d5d3 C:\fontintosessionsvc\bridgeWebdll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Start Menu\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1844 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1844 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1844 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1844 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1632 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1632 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1632 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1632 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2504 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2688 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2688 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2688 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2312 wrote to memory of 2676 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Users\All Users\Start Menu\sppsvc.exe
PID 2312 wrote to memory of 2676 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Users\All Users\Start Menu\sppsvc.exe
PID 2312 wrote to memory of 2676 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Users\All Users\Start Menu\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RakBot.exe

"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

"C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "

C:\fontintosessionsvc\bridgeWebdll.exe

"C:\fontintosessionsvc\bridgeWebdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\bridgeWebdll.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdll" /sc ONLOGON /tr "'C:\MSOCache\All Users\bridgeWebdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\bridgeWebdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f

C:\Users\All Users\Start Menu\sppsvc.exe

"C:\Users\All Users\Start Menu\sppsvc.exe"

Network

Country Destination Domain Proto
DE 5.254.105.122:7777 udp
US 8.8.8.8:53 400886cm.nyashnyash.top udp
US 104.21.3.45:80 400886cm.nyashnyash.top tcp

Files

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

memory/1844-12-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\fontintosessionsvc\AtbmE4.vbe

MD5 bfc4c3394520c5407a7a70e99743ca72
SHA1 e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17
SHA256 c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d
SHA512 2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

MD5 72fa4f55254901b819a5996d5eff7bcb
SHA1 950f1b3bf5a55a2d88fce41b03a3b5ab079d716d
SHA256 962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0
SHA512 c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/2312-28-0x00000000000C0000-0x00000000001F2000-memory.dmp

memory/2312-29-0x0000000000480000-0x000000000049C000-memory.dmp

memory/2312-30-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2312-31-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/2676-60-0x00000000010C0000-0x00000000011F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:02

Reported

2024-06-03 10:05

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RakBot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Services\0a1fd5f707cd16 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Common Files\Services\sppsvc.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\es-ES\csrss.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\es-ES\886983d96e3d3e C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\ServiceProfiles\SppExtComObj.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\ServiceProfiles\e1ef82546f0b02 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Fonts\msedge.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Fonts\61a52ddc9dd915 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\msedge.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Speech_OneCore\Engines\SR\en-US-N\61a52ddc9dd915 C:\fontintosessionsvc\bridgeWebdll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4076 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 4076 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 4076 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\RakBot.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1616 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1616 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1616 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4892 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 2204 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2204 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2376 wrote to memory of 1620 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe
PID 2376 wrote to memory of 1620 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RakBot.exe

"C:\Users\Admin\AppData\Local\Temp\RakBot.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

"C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "

C:\fontintosessionsvc\bridgeWebdll.exe

"C:\fontintosessionsvc\bridgeWebdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\fontintosessionsvc\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\fontintosessionsvc\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Users\Public\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Public\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Public\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\msedge.exe'" /rl HIGHEST /f

C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe

"C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 5.254.105.122:7777 udp
US 8.8.8.8:53 122.105.254.5.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 400886cm.nyashnyash.top udp
US 172.67.130.59:80 400886cm.nyashnyash.top tcp
US 8.8.8.8:53 59.130.67.172.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

memory/4076-15-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\fontintosessionsvc\AtbmE4.vbe

MD5 bfc4c3394520c5407a7a70e99743ca72
SHA1 e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17
SHA256 c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d
SHA512 2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

MD5 72fa4f55254901b819a5996d5eff7bcb
SHA1 950f1b3bf5a55a2d88fce41b03a3b5ab079d716d
SHA256 962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0
SHA512 c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/2376-29-0x0000000000CC0000-0x0000000000DF2000-memory.dmp

memory/2376-30-0x000000001B910000-0x000000001B92C000-memory.dmp

memory/2376-31-0x000000001C100000-0x000000001C150000-memory.dmp

memory/2376-32-0x000000001B930000-0x000000001B946000-memory.dmp

memory/2376-33-0x0000000002FE0000-0x0000000002FEC000-memory.dmp