Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-fdypyayfrn
Target 3650affab7494d13c69ac4a48447c037.exe
SHA256 3f963672abd239a6a5276572982dcb639e7a53295a7ab81ab3106724085b24b3
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f963672abd239a6a5276572982dcb639e7a53295a7ab81ab3106724085b24b3

Threat Level: Known bad

The file 3650affab7494d13c69ac4a48447c037.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 04:46

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 04:46

Reported

2024-06-17 04:48

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\csrss.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\csrss.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\csrss.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\886983d96e3d3e C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\csrss.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\7-Zip\Lang\csrss.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\7-Zip\Lang\886983d96e3d3e C:\agentServerDllsvc\hyperruntimeSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\Calligraphy\6ccacd8608530f C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Windows\Media\Calligraphy\Idle.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe C:\Windows\SysWOW64\WScript.exe
PID 2332 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe C:\Windows\SysWOW64\WScript.exe
PID 2332 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe C:\Windows\SysWOW64\WScript.exe
PID 2332 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe C:\Windows\SysWOW64\WScript.exe
PID 2832 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\agentServerDllsvc\hyperruntimeSvc.exe
PID 2516 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\agentServerDllsvc\hyperruntimeSvc.exe
PID 2516 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\agentServerDllsvc\hyperruntimeSvc.exe
PID 2516 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\agentServerDllsvc\hyperruntimeSvc.exe
PID 2552 wrote to memory of 2124 N/A C:\agentServerDllsvc\hyperruntimeSvc.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2124 N/A C:\agentServerDllsvc\hyperruntimeSvc.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2124 N/A C:\agentServerDllsvc\hyperruntimeSvc.exe C:\Windows\System32\cmd.exe
PID 2124 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2124 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2124 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2124 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2124 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2124 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe

"C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\agentServerDllsvc\F7SeUGr0gdeFBrMLYaI2oNJcv.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\agentServerDllsvc\C3oRAmvd9WFYJKtBoi.bat" "

C:\agentServerDllsvc\hyperruntimeSvc.exe

"C:\agentServerDllsvc\hyperruntimeSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Calligraphy\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Calligraphy\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\agentServerDllsvc\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\agentServerDllsvc\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\agentServerDllsvc\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vyh7sapfvv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0994900.xsph.ru udp
RU 141.8.192.103:80 a0994900.xsph.ru tcp

Files

C:\agentServerDllsvc\F7SeUGr0gdeFBrMLYaI2oNJcv.vbe

MD5 08226f69ba183c814fdf0c44f82a0c0b
SHA1 3ef866f38eb7c1a44e5e013bcbc1e97ac1689ece
SHA256 f3cc4844bc2726bf5c3756062e2372ccc9d6ba8460e0e2a7bf638f072df0f006
SHA512 e2d97318ca82b1096f4510a90f762d3b96c940420d1564e5d706b8fd06ef240c8415ff8e825ffa5bbed1dca2982c3954be4d6b29832136d4fb9d4356253d7f3c

C:\agentServerDllsvc\C3oRAmvd9WFYJKtBoi.bat

MD5 d6118c6d2c695994443025e9e64da1ff
SHA1 56687d8c16def573022c93189a295775b2a2d8ad
SHA256 0bdcea1302e407d82a07742132a3c486254275a3d41a0416204eda48b77df197
SHA512 4ffab9b5b3268590b470f3083bd13cb8ab9c48cfa14a4172ab5f9d629cf389f7861540defd826f53929ca8d878d8b535e7cc39d10d71c44d6f1c99b584b32651

\agentServerDllsvc\hyperruntimeSvc.exe

MD5 908aed51f3d621e6dddfcfae60a19652
SHA1 07a1efb85c6d60fd45ce4d884424bd4ae2deb353
SHA256 610562d910bd1659f44f1a0b4ddb218c38540996105ad371fa3ae022ffe6df5f
SHA512 069f013d4d7169944e26ff12696012c561cb3c2fabba20a0cb7844db72a70e9ceb4998efd0e78fe0b98507ca948a2da977a67d5ba9ea9ffc9169a9dede10f47d

memory/2552-13-0x0000000000C80000-0x0000000000DE2000-memory.dmp

memory/2552-14-0x00000000001D0000-0x00000000001EC000-memory.dmp

memory/2552-15-0x00000000001F0000-0x0000000000206000-memory.dmp

memory/2552-16-0x0000000000370000-0x000000000037C000-memory.dmp

memory/2552-17-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/2552-18-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/2552-19-0x0000000000620000-0x000000000062C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Vyh7sapfvv.bat

MD5 791e64cb53fccfaaf898e80be7190b7f
SHA1 e65027af68a8fbffb4decaa50aac1fc2535c1f04
SHA256 6170cc81a266f292144bbde40c0687bcdcb26c96a7b5d1f3eae9bfcada78b573
SHA512 35cd179022bb40d5a9d9bfb628ad3430dbd0aebfc3f806305a323ad136a5d71ac332dd98044b4f559861ec635e5b22d58f6c8d341697ce9aa84b01ebbb1b828e

memory/2360-41-0x0000000000EA0000-0x0000000001002000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 04:46

Reported

2024-06-17 04:48

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\agentServerDllsvc\hyperruntimeSvc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
N/A N/A C:\agentServerDllsvc\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\121e5b5079f7c0 C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\6203df4a6bafc7 C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\22eafd247d37c3 C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\fontdrvhost.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\5b884080fd4f94 C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\sppsvc.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
File created C:\Windows\DiagTrack\Scenarios\5b884080fd4f94 C:\agentServerDllsvc\hyperruntimeSvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\agentServerDllsvc\hyperruntimeSvc.exe N/A
Token: SeDebugPrivilege N/A C:\agentServerDllsvc\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe

"C:\Users\Admin\AppData\Local\Temp\3650affab7494d13c69ac4a48447c037.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\agentServerDllsvc\F7SeUGr0gdeFBrMLYaI2oNJcv.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\agentServerDllsvc\C3oRAmvd9WFYJKtBoi.bat" "

C:\agentServerDllsvc\hyperruntimeSvc.exe

"C:\agentServerDllsvc\hyperruntimeSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\agentServerDllsvc\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\agentServerDllsvc\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\agentServerDllsvc\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hyperruntimeSvch" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\hyperruntimeSvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hyperruntimeSvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\hyperruntimeSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hyperruntimeSvch" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\hyperruntimeSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Scenarios\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f

C:\agentServerDllsvc\explorer.exe

"C:\agentServerDllsvc\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0994900.xsph.ru udp
US 8.8.8.8:53 a0994900.xsph.ru udp

Files

C:\agentServerDllsvc\F7SeUGr0gdeFBrMLYaI2oNJcv.vbe

MD5 08226f69ba183c814fdf0c44f82a0c0b
SHA1 3ef866f38eb7c1a44e5e013bcbc1e97ac1689ece
SHA256 f3cc4844bc2726bf5c3756062e2372ccc9d6ba8460e0e2a7bf638f072df0f006
SHA512 e2d97318ca82b1096f4510a90f762d3b96c940420d1564e5d706b8fd06ef240c8415ff8e825ffa5bbed1dca2982c3954be4d6b29832136d4fb9d4356253d7f3c

C:\agentServerDllsvc\C3oRAmvd9WFYJKtBoi.bat

MD5 d6118c6d2c695994443025e9e64da1ff
SHA1 56687d8c16def573022c93189a295775b2a2d8ad
SHA256 0bdcea1302e407d82a07742132a3c486254275a3d41a0416204eda48b77df197
SHA512 4ffab9b5b3268590b470f3083bd13cb8ab9c48cfa14a4172ab5f9d629cf389f7861540defd826f53929ca8d878d8b535e7cc39d10d71c44d6f1c99b584b32651

C:\agentServerDllsvc\hyperruntimeSvc.exe

MD5 908aed51f3d621e6dddfcfae60a19652
SHA1 07a1efb85c6d60fd45ce4d884424bd4ae2deb353
SHA256 610562d910bd1659f44f1a0b4ddb218c38540996105ad371fa3ae022ffe6df5f
SHA512 069f013d4d7169944e26ff12696012c561cb3c2fabba20a0cb7844db72a70e9ceb4998efd0e78fe0b98507ca948a2da977a67d5ba9ea9ffc9169a9dede10f47d

memory/4228-12-0x00007FFE23A13000-0x00007FFE23A15000-memory.dmp

memory/4228-13-0x0000000000820000-0x0000000000982000-memory.dmp

memory/4228-14-0x0000000002A50000-0x0000000002A6C000-memory.dmp

memory/4228-15-0x000000001BB50000-0x000000001BBA0000-memory.dmp

memory/4228-16-0x000000001B4B0000-0x000000001B4C6000-memory.dmp

memory/4228-17-0x0000000002A70000-0x0000000002A7C000-memory.dmp

memory/4228-18-0x000000001B5E0000-0x000000001B5F2000-memory.dmp

memory/4228-19-0x000000001C260000-0x000000001C788000-memory.dmp

memory/4228-20-0x000000001B610000-0x000000001B61A000-memory.dmp

memory/4228-21-0x000000001B620000-0x000000001B62C000-memory.dmp