Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-bd766a1dkq
Target 1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe
SHA256 1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64

Threat Level: Known bad

The file 1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:02

Reported

2024-06-17 01:05

Platform

win7-20240508-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe C:\Windows\System32\cmd.exe
PID 1212 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe C:\Windows\System32\cmd.exe
PID 1212 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1700 wrote to memory of 1052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1700 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1700 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1700 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2192 wrote to memory of 2960 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2960 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2960 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2960 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2960 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2960 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2960 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2960 wrote to memory of 2692 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2692 wrote to memory of 1376 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 1376 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 1376 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 1376 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1376 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1376 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1376 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1376 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1376 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1944 wrote to memory of 1508 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 1508 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 1508 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1508 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1508 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2268 wrote to memory of 1352 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2268 wrote to memory of 1352 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2268 wrote to memory of 1352 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1352 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1352 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1352 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1352 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 1352 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2428 wrote to memory of 2748 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 2748 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 2748 N/A C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe C:\Windows\System32\cmd.exe
PID 2748 wrote to memory of 1492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2748 wrote to memory of 1492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2748 wrote to memory of 1492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe
PID 2748 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe

"C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qdkxfnloT6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/1212-21-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qdkxfnloT6.bat

MD5 c4e3e7d6a64a969d348cde948b932b55
SHA1 321cd49288e49e76ba9ec09acc282333ea731859
SHA256 6b8721473ad620ce7a1b8d4a1f537e70ad202f9b9f64f0c691fbd8c0bfd64b5b
SHA512 2e500ac6dabe7834aee1aa3e656f447c057468b08c3840ad0cc3f87f2de98940b935ca16d6403cec447566e22299ec0237b5d96f764b4095c8b92ef5442d5647

C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe

MD5 3146f2002112e5ba7562a28ff1883f9a
SHA1 9bd64b0954d746395e8080e563dbb39b254fac7d
SHA256 1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64
SHA512 08e1e8c002269a4d611d21de3d037879abcbbf59f8f3744f27ee62b296adf61664f4f7afe0dc36bcdd4b5070fe6b7bf146ff94b0c682fee09e61bfa0935c3cfa

memory/1212-3-0x0000000000470000-0x000000000048C000-memory.dmp

memory/1212-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/1212-1-0x0000000001310000-0x0000000001412000-memory.dmp

memory/1212-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

memory/2192-24-0x0000000000B10000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

MD5 271ac2cd70828e941e345bab3ec94311
SHA1 1f90ccc2bd71f37bcc2fc03935dd4fbf65ea3915
SHA256 ed5b64e420b10cab1670ace98a1b60f7f61d7cf3f9ebdb9b45a372d434dfd979
SHA512 dbcc4faf8f1ef5102f746955f4afe27d634b4303d546d7a6c235eab7e32eb133e033f92e4230f9e7bb4697c192621f7838f50946fde186d103d96d1f718d37ab

memory/2692-31-0x0000000000320000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

MD5 53f580d27e18af02ec7a5c00a1ff9c69
SHA1 fc2c2134b08b808fabc3dca446eb463997651c4f
SHA256 eb75fe16450372947b1251a867987cbf90af6a75ee27daba3b12878534d2f2cf
SHA512 956796ff13920136657caf486754e03a7d7c9f5d4b48de6773c684972ad3795d0a81b11c0b542624c460be1d1eabaeb0e15d7027b0eca738c6244ff599316371

memory/1944-38-0x0000000001290000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

MD5 1f0282e56c65d0273291cea954b2c0bf
SHA1 51c65e54e8de50f07306530a1d51eb64ac73112b
SHA256 85bda9a6488f88dde0fd62cd2e44be9945caf095d69979add3fac42183387946
SHA512 37742d46b1e444fa905b9deaad46f3157add3f881b1d162d7981cb6efa7e17ef494cfea12df9f5ff760025d10e247ecb948238ec4384b0989c23224aac6adaa1

C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

MD5 f16539c169f7828cff04572e013e47b1
SHA1 83ac21b16190984b549c0858f5edcc0aa42a142f
SHA256 b6c7afc23917c65dd78ce2f39262acf27cb058999b97e06f17d2483701dbe1b8
SHA512 de6d83c3adb6aba7dbacaa344fd4a20369ce137a3997886056c8056e0a149be0dd33deac96206c5c4dec38363ebba7c5719b6c66aa4e6d11a251361ab91eeabd

C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

MD5 08b1d9f44a0fe6b2ed9531324a2f1326
SHA1 05e244946149c2e86c1ea27594929c3edef25124
SHA256 028d14953f7b4c5f092418c8e8e188b59aa591332b544ed8faa2b762a9a2f7f6
SHA512 10709856649bb53c78eb25e3c75895bc019115c5402d3d0142038127c3ab0799e354e1797e6c0d3719abdda299fc753a1919a454637a8b4199695175b0788efa

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:02

Reported

2024-06-17 01:05

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\INF\Idle.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\Windows Security\System.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\56085415360792 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\Windows Security\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemResources\Windows-NFC-SEManagement\pris\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Windows\INF\Idle.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Windows\INF\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Windows\ShellExperiences\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
File created C:\Windows\ShellExperiences\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\INF\Idle.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A
N/A N/A C:\Windows\INF\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe C:\Windows\System32\cmd.exe
PID 3696 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe C:\Windows\System32\cmd.exe
PID 4688 wrote to memory of 2036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 2036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 4688 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 2460 wrote to memory of 4984 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 2460 wrote to memory of 4984 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 4984 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4984 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4984 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 4984 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 2664 wrote to memory of 540 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 540 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 540 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 540 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 540 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 2244 wrote to memory of 368 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 2244 wrote to memory of 368 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 368 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 368 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 368 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 368 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 4936 wrote to memory of 2124 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 4936 wrote to memory of 2124 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 2124 wrote to memory of 2116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2124 wrote to memory of 2116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2124 wrote to memory of 3776 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 2124 wrote to memory of 3776 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 3776 wrote to memory of 3540 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 3776 wrote to memory of 3540 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 3540 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3540 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3540 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 3540 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 348 wrote to memory of 4984 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 348 wrote to memory of 4984 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 4984 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4984 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4984 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 4984 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\Idle.exe
PID 1288 wrote to memory of 4588 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 1288 wrote to memory of 4588 N/A C:\Windows\INF\Idle.exe C:\Windows\System32\cmd.exe
PID 4588 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4588 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe

"C:\Users\Admin\AppData\Local\Temp\1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\INF\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SPWvGcMwiP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\Idle.exe

"C:\Windows\INF\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/3696-0-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

memory/3696-1-0x0000000000DB0000-0x0000000000EB2000-memory.dmp

memory/3696-2-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/3696-3-0x00000000016F0000-0x000000000170C000-memory.dmp

memory/3696-4-0x000000001BC40000-0x000000001BC90000-memory.dmp

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

MD5 3146f2002112e5ba7562a28ff1883f9a
SHA1 9bd64b0954d746395e8080e563dbb39b254fac7d
SHA256 1eb7992ca97e8bb0b65faeaf69b30d9ac84406b1f35d6a900f8de748ab6a6a64
SHA512 08e1e8c002269a4d611d21de3d037879abcbbf59f8f3744f27ee62b296adf61664f4f7afe0dc36bcdd4b5070fe6b7bf146ff94b0c682fee09e61bfa0935c3cfa

memory/3696-36-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SPWvGcMwiP.bat

MD5 7ad5bbe64650354b09dc30134af60fd3
SHA1 e88384c3ad102832a2c2a75f7ae9180ad07444f6
SHA256 a3052f01eb0c4c2d68d3ef1de86eabb206acac24ae8888045fe89828d14083b1
SHA512 8325d572ba62e9fe10e54e136e5c60a048b37d69310d32fd07333e2b4de194cc5941c10f7b4a52754f0f35faf48c96f64f1e0c86ce66b12aac653e5ca24ca037

memory/2460-41-0x000000001BA00000-0x000000001BB02000-memory.dmp

memory/2460-47-0x000000001BA00000-0x000000001BB02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

MD5 fa11aed05ee2487f05e9b7a99f2623d5
SHA1 867142e7edceaa691994c1b83691b99072012c3d
SHA256 9c8b965cb9e164b2c7584d5326a9be33945553095f18eb500094b198d2740dbc
SHA512 4a0ae4586ea13fe25046b3e2d348f57b1226f3de2a8cfed804560ec8046d63cbb0dba9b6dc664d14fd81e0c15181ce161b1780ebcbfd3ead4d0fecf808921526

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

memory/2664-55-0x000000001C1B0000-0x000000001C31A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

MD5 158daafbbe9d4bec00e5217e40a9bb76
SHA1 c2c912e980b48869c3520ea3707e8bf701ca533a
SHA256 baed645abfd94ad19a09320968d9f56583bb5a2614a70cc0c30e3146edd8370a
SHA512 2c33fe6083b56f8ce2af8e606e0e1c3df4eed61afd77cc15e5e14828dba9b645dfd5ea61e4995ff3aec1fb915c81e8a252e3773faf4a40aa84c5bd1794bd9675

memory/2244-62-0x000000001BD90000-0x000000001BEFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

MD5 327b537a7b1894962fde861cfc2fd994
SHA1 f0f103adf9c7758d0b98faff29b26aca034577f3
SHA256 9d16a515a1443207f71c47f4a7cc60b007f89582a9b6a0f46721c7d16f0f7db1
SHA512 60a9d20364a48c779641d065ccee247afbe3bc01bde990394c14ec7954d1c840ea118b89bbf1b8a10885574b1772a9d83ec31ed0b28455c2bb421095d3f39d8c

memory/4936-69-0x000000001BC20000-0x000000001BD8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

MD5 c023e5c144ed9a1cf6d6f33bdda8b22c
SHA1 447e9ed9c1b0f9c6dbfa08fe9b0384e49a548930
SHA256 32cadbad737f0ed23cccc502da26196421b28b10653e0735639e3239606d7c94
SHA512 d5a6eb71f0b0533a903368be1b7358d9391ac1ed6cf44346030cb78a2fc87872007cf0dcb2c2c54d0ff3a2d65edd29b3b1131e72186b490e21df52762298d86e

C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

MD5 58ecd5edd6c3fe00887a3db90276ecfe
SHA1 06d70bbd240382adea051d03e26424b8dc4b27d0
SHA256 16e66a4400e804e2d13ed2a2fa69d536c4df266d516ed0d23e60e08aaf4fd5c5
SHA512 a0683c022c556e9b4b370a231a3a08d0fe64a79de9ba7c225d03f874ae61030f81b998c7b41df3b05096c98ea701eca896c85c18fdd080294321a67201bf0533

C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

MD5 1566aa43d294e3a71209d21eacd2d9aa
SHA1 b7897cf07642ee735cb1ed96a24fe75d250e59c2
SHA256 1bda6360c3bb9f4791598544c40a7eaf7b08db99f2706c37d00920d1596779bf
SHA512 c5b51824dc10c93d1cd5bcfd4f836b53fcd6e8340d16f7dd51d3e1ee92d711b9e2ea07d553f6f92adec31f9577e41bc6a58563e8741ecfdb159b6ee8683bd1a3

C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

MD5 baa33e0ff25178f970b20cb1ca47c69b
SHA1 d5de02f98ab73655d9d79a39344857c817962f21
SHA256 181645b67afb3c26c5451b07a48c6b0a627422b41db029a01848e2995bc45572
SHA512 c3d548265d950a8653374e1d2d209e61d51e8d6e042b0d0cd583e961319ddb0c948bb43d2271f36ed3b23e5d66d169084b59bc06c6f82f0127193557fb273e96