Analysis Overview
SHA256
4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2
Threat Level: Known bad
The file EXCheker.rar was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 08:29
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 08:29
Reported
2024-06-18 08:31
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files\Common Files\System\smss.exe | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files\Common Files\System\69ddcba757bf72 | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\services.exe | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\EXCheker.exe
"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "
C:\bridgesurrogateAgentFont\AgentProvider.exe
"C:\bridgesurrogateAgentFont\AgentProvider.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\bridgesurrogateAgentFont\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\bridgesurrogateAgentFont\System.exe'" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c2b787-c4ed-4dc8-87af-b0ded26b497c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d292f92b-cb79-4acd-8863-40d6a1c6649e.vbs"
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90a462f-d309-4d0e-88ac-b8f93bfa8f22.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63579f65-7b5d-4da3-b5c8-a31db780537e.vbs"
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1940fbbf-1cf4-41b8-9fc4-0f7dcf67c075.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64d02817-a2f5-4d91-bc06-6564a0653e78.vbs"
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45b67308-482b-4ed0-aa09-34f890737d7c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea87ab5f-4e07-4768-bc24-a0a3665fa7af.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
Files
C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe
| MD5 | 5f029eae663f2502df3464cd711d4347 |
| SHA1 | 61c86dc92b67e65b7c85c64594ff97140b3168ce |
| SHA256 | ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622 |
| SHA512 | f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c |
C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat
| MD5 | d723af7383c6c7c9cfe4c51ebbe3b9c7 |
| SHA1 | db0c0c570da18e80fa176d6ac9a6f8f008238da7 |
| SHA256 | a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e |
| SHA512 | 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f |
\bridgesurrogateAgentFont\AgentProvider.exe
| MD5 | b1130e50aedfd408e93334fce676f4ee |
| SHA1 | f8e65fa8b009ac6369988b56b1fb456595f369bb |
| SHA256 | 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b |
| SHA512 | 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af |
memory/2780-13-0x00000000009B0000-0x0000000000AEC000-memory.dmp
memory/2780-14-0x00000000005E0000-0x00000000005FC000-memory.dmp
memory/2780-15-0x0000000000940000-0x0000000000956000-memory.dmp
memory/2780-16-0x00000000001D0000-0x00000000001DA000-memory.dmp
memory/2780-17-0x00000000002D0000-0x00000000002D8000-memory.dmp
memory/2780-18-0x0000000000600000-0x000000000060C000-memory.dmp
memory/1300-39-0x0000000001390000-0x00000000014CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d292f92b-cb79-4acd-8863-40d6a1c6649e.vbs
| MD5 | 27754e7cf1ebf2b9f932767e831f1219 |
| SHA1 | eb80202034c25fcf883f3b93530957ea397879d0 |
| SHA256 | 8bb20b6ebc0329bbec9aeb888b4e06f93d5feefde9c03d07449f8d3ffe631be0 |
| SHA512 | 405aaaaf553bf021aa2b4bc612df18bbf2f60ae34264ed87d3ce99d3e8e1d5b406ace0a38e04d0cdf3f1f94d5e7f9f8525dc5e08dc06e036ec799041e443abf2 |
C:\Users\Admin\AppData\Local\Temp\08c2b787-c4ed-4dc8-87af-b0ded26b497c.vbs
| MD5 | 6073cbdfba9915819df3c6a16bd0cdd2 |
| SHA1 | 1b77ebe88c9e38c3fcfc47514bec7ceb30cf7648 |
| SHA256 | 4790b8cae4df03dd1c2e2a555a117b59a72a826f1f0ff44ab28a2a462f2e4802 |
| SHA512 | a6951e0d9cf4c0b83b731bc4f931c1901bd1865a2969ae079e4db0c2f5ee7e0722350b2d8b8a10ccd0cb5f7f79934f2c27fc347a989068ed87b56027cb420b6e |
C:\Users\Admin\AppData\Local\Temp\f90a462f-d309-4d0e-88ac-b8f93bfa8f22.vbs
| MD5 | 3ff4243f8b2095d938a5da78273c4ca6 |
| SHA1 | f2a5b3d7e9dfb3b72af7c7bd2faf6baefcf5b198 |
| SHA256 | f8d61b1c834472533900ee1a19c85713cd61abeb7f5fb078c1ab9743bb4fad06 |
| SHA512 | 2e9d57bbfbae4a4f1d6e271026e8a530f1408031f9054ce4b599ee8020d6987d163e14cea3ae19819de9b4aa6a59a35aa2103136907d65238f0df2a6a3d9feed |
C:\Users\Admin\AppData\Local\Temp\1940fbbf-1cf4-41b8-9fc4-0f7dcf67c075.vbs
| MD5 | e8bc5d239a7660363064c343e7631b1c |
| SHA1 | b2ff72c4bde4c8f13179f8c93c2c1d4e00030ba1 |
| SHA256 | bcde5180602bfab7bba48b489886b42319d0db1419c5e218ed522a40e69d270b |
| SHA512 | 8f61348dc5c5ffce1e23a5636b8c19c5283178228cd809eafc6a1303f864d86e25eded35afe7a171d34436dec25a0630cb16bb2924124647b09045983207ea74 |
C:\Users\Admin\AppData\Local\Temp\45b67308-482b-4ed0-aa09-34f890737d7c.vbs
| MD5 | fc57e13efd76db23d9745f15b4e545cd |
| SHA1 | fe211b890f2a44f4a035a4b99aca68689869d91e |
| SHA256 | 27009b85d8d848370632c2f79989a773b0db71adec496190f71ce1b49de6d962 |
| SHA512 | a1359e94725cbcc708d7c23c893ca392bce38e40f7fcdeb31434a81093bc799e5b83d9955607d9aaa4c654f83e4fd25c2b43c3a1dea624de59957b6bfbc49f09 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 08:29
Reported
2024-06-18 08:31
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EXCheker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Mail\unsecapp.exe | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\29c1c3cc0f7685 | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\System.exe | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\EXCheker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\bridgesurrogateAgentFont\AgentProvider.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\unsecapp.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\EXCheker.exe
"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "
C:\bridgesurrogateAgentFont\AgentProvider.exe
"C:\bridgesurrogateAgentFont\AgentProvider.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4q7S46Fv0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Mail\unsecapp.exe
"C:\Program Files (x86)\Windows Mail\unsecapp.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9be024d-dac1-4207-9edb-a09c74a97f14.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b58938-0d70-4e22-9e70-1d0ffd455207.vbs"
C:\Program Files (x86)\Windows Mail\unsecapp.exe
"C:\Program Files (x86)\Windows Mail\unsecapp.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31b04592-280f-4cb6-94c9-475ccd486fe3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e571b1a9-dd09-4c2d-ab7d-fca06c548cab.vbs"
C:\Program Files (x86)\Windows Mail\unsecapp.exe
"C:\Program Files (x86)\Windows Mail\unsecapp.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f748845-831b-4a62-8db0-bd3a5205c5b0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051ee68f-f3cf-40b2-9eea-c8e3eeed4f15.vbs"
C:\Program Files (x86)\Windows Mail\unsecapp.exe
"C:\Program Files (x86)\Windows Mail\unsecapp.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\921e2277-cb9a-43d9-93c0-08f95d433961.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12ee7236-8d0d-4f01-a15c-fe3bee15d7e1.vbs"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 145.14.145.225:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 145.14.145.225:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 145.14.145.225:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 145.14.145.225:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sddfasdasfdewfdsaffd.000webhostapp.com | udp |
| US | 145.14.145.48:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 48.145.14.145.in-addr.arpa | udp |
| US | 145.14.145.48:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 145.14.145.48:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 145.14.145.48:80 | sddfasdasfdewfdsaffd.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe
| MD5 | 5f029eae663f2502df3464cd711d4347 |
| SHA1 | 61c86dc92b67e65b7c85c64594ff97140b3168ce |
| SHA256 | ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622 |
| SHA512 | f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c |
C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat
| MD5 | d723af7383c6c7c9cfe4c51ebbe3b9c7 |
| SHA1 | db0c0c570da18e80fa176d6ac9a6f8f008238da7 |
| SHA256 | a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e |
| SHA512 | 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f |
C:\bridgesurrogateAgentFont\AgentProvider.exe
| MD5 | b1130e50aedfd408e93334fce676f4ee |
| SHA1 | f8e65fa8b009ac6369988b56b1fb456595f369bb |
| SHA256 | 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b |
| SHA512 | 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af |
memory/2232-12-0x00007FFE40633000-0x00007FFE40635000-memory.dmp
memory/2232-13-0x0000000000B20000-0x0000000000C5C000-memory.dmp
memory/2232-14-0x0000000002E80000-0x0000000002E9C000-memory.dmp
memory/2232-15-0x000000001B910000-0x000000001B960000-memory.dmp
memory/2232-16-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
memory/2232-19-0x0000000002EE0000-0x0000000002EEC000-memory.dmp
memory/2232-18-0x0000000002ED0000-0x0000000002ED8000-memory.dmp
memory/2232-17-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\J4q7S46Fv0.bat
| MD5 | 3e9f2c01979e5e296232c8fe87e0f4af |
| SHA1 | 8e50124aac52cc0336f0996b1a9f8cdd18b1c5ef |
| SHA256 | 0a743e5dc274e4f7e03e058f4d71843745159e08da60d89e0e02b41137849f80 |
| SHA512 | 7d3720d546702aea5e7746b353c3d391fa6660b28896d957274fcdbb51d50ef1ac4755625e7a5c671249da806cc87c097771313cb747bbcb97b978c3c91ee8f2 |
C:\Users\Admin\AppData\Local\Temp\e9be024d-dac1-4207-9edb-a09c74a97f14.vbs
| MD5 | f970632f75fa015454bcecbb44d46cb1 |
| SHA1 | b1994342d887aa061d5943b13a5fcb85ad4c9652 |
| SHA256 | 573f53b6fa1a1b83704d0c66274ed3ebc4e523b489f1f7c332764bb27393c07e |
| SHA512 | 8814f193fffdc9c8931e90b374c982d524f622533fff9e46a36c3ee9adb3f9ca5da885158c0b6d0272abe86ec4b240db609cf36b970d6a410bd5ec4dc6a68aa1 |
C:\Users\Admin\AppData\Local\Temp\c5b58938-0d70-4e22-9e70-1d0ffd455207.vbs
| MD5 | 5bbcff55b9c98cb0674f25219a9e9737 |
| SHA1 | 86aa38b92d9f6b68952712ea7b022f00c49c5a04 |
| SHA256 | de1a2ad3a04cc75260c2b1e43eef719f0aa046c24327994561ae16df32bdb9b8 |
| SHA512 | c29e12fec567fa6bb91e58dd5ce48a90b0b7c697f8a543978d9a13a64bb15b7ae267639f69d5fa52c9227782cf9f5b6c1f2d12edfc1326784d59345653f1181b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log
| MD5 | 3ad9a5252966a3ab5b1b3222424717be |
| SHA1 | 5397522c86c74ddbfb2585b9613c794f4b4c3410 |
| SHA256 | 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249 |
| SHA512 | b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6 |
C:\Users\Admin\AppData\Local\Temp\31b04592-280f-4cb6-94c9-475ccd486fe3.vbs
| MD5 | 23f9cbd0ca6eb9c266c0c1a27f2ed43b |
| SHA1 | 11009c08d1d4ccd19991ace59db0596f4847a20d |
| SHA256 | 73204eb4fc26c10f00308ef5882311b2b9986a35d9a4b49c1eeeedef3379e4a7 |
| SHA512 | 29e8902bfd8210175c2c930dc1388f942e13c196587703c478921937884f5d7e584c47e6b358fef03ba56553cfa6032fabeb49a34043f3806b04e6369dbd939a |
C:\Users\Admin\AppData\Local\Temp\0f748845-831b-4a62-8db0-bd3a5205c5b0.vbs
| MD5 | a090c47d2c1625b2865a8eb7fb31b7e3 |
| SHA1 | b89ca920e00d26244d2e10d8d9486ac399da8a4a |
| SHA256 | 4a9a08c1b2463da1b5940a06e6fbac9099a94d060d19628af827f5f293646dda |
| SHA512 | bde9da8fa62202e4b87c627ea7ec9fc3cd9b058f06ac03b522c17a279e29eb4c3f83dc7dfddc846848b83339eb651f08a5bd50591ab04b18a51f6b7da8a6a338 |
C:\Users\Admin\AppData\Local\Temp\921e2277-cb9a-43d9-93c0-08f95d433961.vbs
| MD5 | 3b5361288a9d90d98c1cd7cfd77336bc |
| SHA1 | 8408c7f04d95fe2228b9b37ef0a7480fbf316a7d |
| SHA256 | 1286debdccb75264ebbd22c9b15601d014172358c2f7e89b87e4d1452ed990f7 |
| SHA512 | 71a43269f67ad2b79ae9fe454dfcbf6a53e960bc760b016c40905e1fe5d8dd56f4db84f89cf0d7e116d216cd98b0f1304676f0a18a33c3c546c07acc1b7d28cd |