Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-pp2ems1arg
Target 50041c9d3b476dda21ed199fdf346aaf.exe
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f

Threat Level: Known bad

The file 50041c9d3b476dda21ed199fdf346aaf.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Process spawned unexpected child process

Dcrat family

UAC bypass

DCRat payload

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:31

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 12:31

Reported

2024-06-17 12:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Common Files\System\it-IT\50041c9d3b476dda21ed199fdf346aaf.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Common Files\System\it-IT\f7dafa8b7e62e6 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\twain_32\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\ja-JP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\twain_32\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 1376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2652 wrote to memory of 1376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2652 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe
PID 2652 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe
PID 2260 wrote to memory of 3452 N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 3452 N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 1996 N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 1996 N/A C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe C:\Windows\System32\WScript.exe
PID 3452 wrote to memory of 3108 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe
PID 3452 wrote to memory of 3108 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe

"C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\it-IT\50041c9d3b476dda21ed199fdf346aaf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\it-IT\50041c9d3b476dda21ed199fdf346aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf5" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\it-IT\50041c9d3b476dda21ed199fdf346aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QZF3yaD2g2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe

"C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa88042-85b4-45b4-8367-c862a7104bf6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\904d62c7-ab21-4e48-88e4-738c07a96400.vbs"

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe

"C:\Program Files (x86)\Windows Photo Viewer\uk-UA\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cq11142.tw1.ru udp
US 8.8.8.8:53 cq11142.tw1.ru udp

Files

memory/2396-0-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

memory/2396-1-0x0000000000C20000-0x0000000000F34000-memory.dmp

memory/2396-2-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/2396-3-0x0000000003010000-0x0000000003018000-memory.dmp

memory/2396-4-0x000000001BA40000-0x000000001BA5C000-memory.dmp

memory/2396-5-0x000000001C1F0000-0x000000001C240000-memory.dmp

memory/2396-7-0x000000001BA70000-0x000000001BA80000-memory.dmp

memory/2396-6-0x000000001BA60000-0x000000001BA68000-memory.dmp

memory/2396-8-0x000000001BA80000-0x000000001BA96000-memory.dmp

memory/2396-9-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

memory/2396-10-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

memory/2396-12-0x000000001BAB0000-0x000000001BABA000-memory.dmp

memory/2396-11-0x000000001C350000-0x000000001C358000-memory.dmp

memory/2396-13-0x000000001C360000-0x000000001C3B6000-memory.dmp

memory/2396-14-0x000000001C340000-0x000000001C34C000-memory.dmp

memory/2396-15-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

memory/2396-16-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

memory/2396-17-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

memory/2396-18-0x000000001CA00000-0x000000001CF28000-memory.dmp

memory/2396-19-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

memory/2396-20-0x000000001C400000-0x000000001C40C000-memory.dmp

memory/2396-23-0x000000001C430000-0x000000001C43C000-memory.dmp

memory/2396-22-0x000000001C420000-0x000000001C42C000-memory.dmp

memory/2396-21-0x000000001C410000-0x000000001C418000-memory.dmp

memory/2396-24-0x000000001C440000-0x000000001C448000-memory.dmp

memory/2396-29-0x000000001C6E0000-0x000000001C6EC000-memory.dmp

memory/2396-30-0x000000001C6F0000-0x000000001C6F8000-memory.dmp

memory/2396-32-0x000000001C710000-0x000000001C71C000-memory.dmp

memory/2396-33-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/2396-31-0x000000001C700000-0x000000001C70A000-memory.dmp

memory/2396-36-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/2396-28-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

memory/2396-27-0x000000001C470000-0x000000001C47E000-memory.dmp

memory/2396-26-0x000000001C460000-0x000000001C46A000-memory.dmp

memory/2396-25-0x000000001C450000-0x000000001C45C000-memory.dmp

C:\Program Files\Common Files\System\it-IT\50041c9d3b476dda21ed199fdf346aaf.exe

MD5 50041c9d3b476dda21ed199fdf346aaf
SHA1 5a73df246d5b9970f9c445127651b62ed502a375
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
SHA512 16440fb313281c9da99370cf05a433a28af41ac6a34692b7b31254e61b7af53c6b903fa9a885a33263d931b8246de307b14ffe0a24a6f30f8c16612b9b48c730

C:\Users\Admin\AppData\Local\Temp\QZF3yaD2g2.bat

MD5 25b0cf8f5721d1f18532aba25a095883
SHA1 03a77c14404e204fa0e1c7ef6aa9d23b105d0caa
SHA256 d5128b03582ae4dbfe9be54d5441d99f4b89005c45b51dc041cd4683db597f33
SHA512 1bcb2e4924c342c0bb297f0eacb094400d9336863be91daf8b993a05c54262b7869e848c4e38434ee5a200ac693e29cd1ed9639a4e82e4385aced37e9779fbdd

memory/2396-73-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/2260-77-0x00000000024D0000-0x00000000024E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\caa88042-85b4-45b4-8367-c862a7104bf6.vbs

MD5 2b5277fd5d3fde3dc9272cf75719ca10
SHA1 f64e1af164b2de0287e4646bb15626c1c7e71427
SHA256 992e08eab3ad398c77be95f18c5c737cd5e4d66a578f159c53455fdca18cf3a5
SHA512 d2f49e772af1c27cf203afafd2964828dcd95222eedc559f637c2fd1f974d71609a64e8e32d96f5989dc024d0577cf0eccc26ff1289906ffefd46ce365e07a2b

C:\Users\Admin\AppData\Local\Temp\904d62c7-ab21-4e48-88e4-738c07a96400.vbs

MD5 2df7c31d51dc36adf366bd07c4ac0a4c
SHA1 1c8a1ea754976ebbd390f8be3d9549c322c537c5
SHA256 df28c56dd9e59c9986b9766312530758f0845aee105b67cd4cb6eb6c025cc67c
SHA512 4ac9b411df0e0155a7b36d3bd44dda1ff91eee59b4cdac689187d65932391ce5cce67a57ab6bf5848882da2c385cb5e5b1a91065b3e80ebd8ad3aa65d0e765c7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:31

Reported

2024-06-17 12:33

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\es-ES\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Uninstall Information\explorer.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files\Uninstall Information\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\Fonts\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\rescache\rc0005\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\Vss\taskhost.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\Vss\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\twain_32\csrss.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\twain_32\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File opened for modification C:\Windows\Fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\Vss\Writers\dllhost.exe C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
File created C:\Windows\Vss\Writers\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2512 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2512 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1916 wrote to memory of 2640 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2640 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2640 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2264 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2264 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2264 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 1608 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2640 wrote to memory of 1608 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2640 wrote to memory of 1608 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe

"C:\Users\Admin\AppData\Local\Temp\50041c9d3b476dda21ed199fdf346aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf5" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\50041c9d3b476dda21ed199fdf346aaf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\50041c9d3b476dda21ed199fdf346aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "50041c9d3b476dda21ed199fdf346aaf5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\50041c9d3b476dda21ed199fdf346aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\NetHood\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4de52b9-e079-4e24-ba94-2fd0e61ae638.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df21ece3-4e8c-45e4-910c-c9e24233bfd6.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cq11142.tw1.ru udp
RU 92.53.96.121:80 cq11142.tw1.ru tcp
US 8.8.8.8:53 vh432.timeweb.ru udp
RU 92.53.96.121:443 vh432.timeweb.ru tcp
RU 92.53.96.121:443 vh432.timeweb.ru tcp

Files

memory/2512-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

memory/2512-1-0x0000000001390000-0x00000000016A4000-memory.dmp

memory/2512-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/2512-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2512-4-0x00000000003C0000-0x00000000003DC000-memory.dmp

memory/2512-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2512-6-0x0000000000570000-0x0000000000580000-memory.dmp

memory/2512-7-0x00000000005A0000-0x00000000005B6000-memory.dmp

memory/2512-8-0x0000000000580000-0x0000000000588000-memory.dmp

memory/2512-9-0x00000000005E0000-0x00000000005F2000-memory.dmp

memory/2512-10-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2512-11-0x0000000000600000-0x000000000060A000-memory.dmp

memory/2512-12-0x0000000000750000-0x00000000007A6000-memory.dmp

memory/2512-13-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2512-14-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2512-15-0x0000000000610000-0x000000000061C000-memory.dmp

memory/2512-16-0x0000000000620000-0x0000000000632000-memory.dmp

memory/2512-17-0x0000000000630000-0x000000000063C000-memory.dmp

memory/2512-18-0x00000000007A0000-0x00000000007AC000-memory.dmp

memory/2512-19-0x0000000000B70000-0x0000000000B78000-memory.dmp

memory/2512-20-0x0000000000B80000-0x0000000000B8C000-memory.dmp

memory/2512-21-0x0000000000B90000-0x0000000000B9C000-memory.dmp

memory/2512-22-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

memory/2512-23-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/2512-24-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

memory/2512-25-0x0000000000C50000-0x0000000000C5E000-memory.dmp

memory/2512-28-0x0000000000C80000-0x0000000000C88000-memory.dmp

memory/2512-27-0x0000000000C70000-0x0000000000C7C000-memory.dmp

memory/2512-26-0x0000000000C60000-0x0000000000C68000-memory.dmp

memory/2512-29-0x0000000000C90000-0x0000000000C9A000-memory.dmp

memory/2512-30-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

memory/2512-31-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe

MD5 50041c9d3b476dda21ed199fdf346aaf
SHA1 5a73df246d5b9970f9c445127651b62ed502a375
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
SHA512 16440fb313281c9da99370cf05a433a28af41ac6a34692b7b31254e61b7af53c6b903fa9a885a33263d931b8246de307b14ffe0a24a6f30f8c16612b9b48c730

memory/1916-68-0x0000000000C70000-0x0000000000F84000-memory.dmp

memory/2512-69-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/1916-70-0x0000000000B50000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4de52b9-e079-4e24-ba94-2fd0e61ae638.vbs

MD5 18c603e1f75f1cd401606506c772b426
SHA1 ed7b0e736f9a038cf58db4444dfc0de6c0d34a08
SHA256 addca9a0aed40d574bff1640a8b28b275560240880e84c84dd6f490c4ec67b25
SHA512 a726cf8f0811f509698e536687171cf8b1cdfc2d7f10d5a73d62ab8e9916457a59cc54bdccb02b1ff6129779decc63b775ef7da82a299b821337bf5e8598a6b2

C:\Users\Admin\AppData\Local\Temp\df21ece3-4e8c-45e4-910c-c9e24233bfd6.vbs

MD5 1cc22b563e30af71d2698cae4310e30a
SHA1 bd0cdfb816596ff03f9fab8b36a388588204c6c3
SHA256 145e6d9148e405d85f45aef4eed7e9c5508176e32dbe7dd168ea194bdc2e5971
SHA512 e94a46ef458de7c434f4af3511dbbfe9e9e652439b900d1d8a623ebdf7e61bb41c725d357ea3be32589e182e6ff924d4cbdfaf999bb070bc509bf3b94fe5fc0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3818.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1608-198-0x0000000000520000-0x0000000000532000-memory.dmp