Malware Analysis Report

2024-10-10 13:05

Sample ID 240618-rmgnkaxcnf
Target DCRatBuild.exe
SHA256 f413c35eca818b528e5a0e5aa6c8fdd46f9e1e40d379feb3a70b58310c6c514a
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f413c35eca818b528e5a0e5aa6c8fdd46f9e1e40d379feb3a70b58310c6c514a

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:18

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:18

Reported

2024-06-18 14:21

Platform

win7-20231129-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Resources\Themes\Aero\fr-FR\0a1fd5f707cd16 C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Surrogatesession\dwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe C:\Surrogatesession\containerwebDll.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\7a0fd90576e088 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\6ccacd8608530f C:\Surrogatesession\containerwebDll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\Themes\Aero\fr-FR\sppsvc.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Resources\Themes\Aero\fr-FR\0a1fd5f707cd16 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Fonts\WmiPrvSE.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Fonts\24dbde2999530e C:\Surrogatesession\containerwebDll.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Surrogatesession\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Surrogatesession\containerwebDll.exe N/A
Token: SeDebugPrivilege N/A C:\Surrogatesession\containerwebDll.exe N/A
Token: SeDebugPrivilege N/A C:\Surrogatesession\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 3008 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3008 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3008 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3008 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 3008 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 3008 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 3008 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 2604 wrote to memory of 1912 N/A C:\Surrogatesession\containerwebDll.exe C:\Windows\System32\cmd.exe
PID 2604 wrote to memory of 1912 N/A C:\Surrogatesession\containerwebDll.exe C:\Windows\System32\cmd.exe
PID 2604 wrote to memory of 1912 N/A C:\Surrogatesession\containerwebDll.exe C:\Windows\System32\cmd.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 856 N/A C:\Windows\System32\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 1912 wrote to memory of 856 N/A C:\Windows\System32\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 1912 wrote to memory of 856 N/A C:\Windows\System32\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 856 wrote to memory of 1568 N/A C:\Surrogatesession\containerwebDll.exe C:\Surrogatesession\dwm.exe
PID 856 wrote to memory of 1568 N/A C:\Surrogatesession\containerwebDll.exe C:\Surrogatesession\dwm.exe
PID 856 wrote to memory of 1568 N/A C:\Surrogatesession\containerwebDll.exe C:\Surrogatesession\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatesession\1xwZLMSuNR5Dt6umDBBaTv.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Surrogatesession\N4Uo34sDWZJRkkmTLgJx4Vp3o.bat" "

C:\Surrogatesession\containerwebDll.exe

"C:\Surrogatesession\containerwebDll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lJjcBPjH5n.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Surrogatesession\containerwebDll.exe

"C:\Surrogatesession\containerwebDll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Surrogatesession\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Surrogatesession\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Surrogatesession\dwm.exe'" /rl HIGHEST /f

C:\Surrogatesession\dwm.exe

"C:\Surrogatesession\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.145.134:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.134:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.134:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.236:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp

Files

C:\Surrogatesession\1xwZLMSuNR5Dt6umDBBaTv.vbe

MD5 b353782b478ab8d51d7db7288b6c34d6
SHA1 01a6464ed0e54e13b9e57330c35b6b5046ec2edd
SHA256 25829c9c131a81171c051150338821527a557d626793db627422f6cc49d29bec
SHA512 86bb86af7dae35fa31a3e7762b57421f9479ad4ce8707565b43f4bd1d07af314de574d9b7a1abc16ef2ea4f73140eba55c9afd606807aed1eb5cdfd12ffff033

C:\Surrogatesession\N4Uo34sDWZJRkkmTLgJx4Vp3o.bat

MD5 72050a7220ffa4b67c82fda3c5edbd3f
SHA1 7f6e6d7a8320e3a71702701e5b6b90d3c9542d7b
SHA256 8e58e86ee6a4a88e2576646356b35c3c38968c344c4e6c54d9321ff797cce6fa
SHA512 e2a3b27d311b3c78d1c90da3d7c9d8df9ae371ddc56c1f9b39e900ac53b59d473bc9168840e42a731ee377109732fe2332e6bcdf9cadfa7c78161f7944f0f362

\Surrogatesession\containerwebDll.exe

MD5 38ca9b97f4865f8fff319d891f9c365b
SHA1 68f3322e56cbb1fcd62f4ed69ccdc03f1eafa662
SHA256 b58427fa6cc17456c4970fc079f0f697ddb35260e7089fa07c66da9fb98aa3ad
SHA512 52f0ed397edc851ff18d20dd7ed7bdb447511e554807ab70e703b814e1cea439149ed7fa5f27380dc2683b4871ff1f9d109c40364818b8b1945b6a636c849eb9

memory/2604-13-0x00000000008A0000-0x00000000009DE000-memory.dmp

memory/2604-14-0x0000000000550000-0x000000000056C000-memory.dmp

memory/2604-15-0x0000000000570000-0x0000000000586000-memory.dmp

memory/2604-16-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2604-17-0x0000000000590000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lJjcBPjH5n.bat

MD5 36b983189dc96e586fc2c888592575fe
SHA1 0c0c66850fb32f7d7e62d1eb9e9684e822e535be
SHA256 a65a995fded4b0fbc069b560dd36d40fbb2694bdfb7a8d433fafe926568f93ae
SHA512 6235bf9641147baa6013820171c3e72f46e4543df8559bfdeccc8c3ceb5b3a073031ee5f0c83d4117a0afbba65d2ee204f031936457e773e7dd846f1436f734d

memory/856-30-0x00000000013E0000-0x000000000151E000-memory.dmp

memory/1568-51-0x00000000002A0000-0x00000000003DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:18

Reported

2024-06-18 14:21

Platform

win10v2004-20240508-en

Max time kernel

39s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Surrogatesession\containerwebDll.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\55b276f4edf653 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Mail\ebf1f9fa8afd6d C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Microsoft Office\taskhostw.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Microsoft Office\ea9f0e6c9e2dcd C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Mozilla Firefox\csrss.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\VideoLAN\StartMenuExperienceHost.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Mail\cmd.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Program Files\Mozilla Firefox\886983d96e3d3e C:\Surrogatesession\containerwebDll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\sihost.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Tasks\66fc9ff0ee96c2 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Installer\dllhost.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Installer\5940a34987c991 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\9e8d7a4ca61bd9 C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\rescache\_merged\spoolsv.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Media\Savanna\e6c9b481da804f C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\RuntimeBroker.exe C:\Surrogatesession\containerwebDll.exe N/A
File created C:\Windows\Media\Savanna\OfficeClickToRun.exe C:\Surrogatesession\containerwebDll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Surrogatesession\containerwebDll.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Surrogatesession\containerwebDll.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Surrogatesession\containerwebDll.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 232 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 232 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 512 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 2768 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatesession\containerwebDll.exe
PID 860 wrote to memory of 4996 N/A C:\Surrogatesession\containerwebDll.exe C:\Windows\System32\cmd.exe
PID 860 wrote to memory of 4996 N/A C:\Surrogatesession\containerwebDll.exe C:\Windows\System32\cmd.exe
PID 4996 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4996 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4996 wrote to memory of 1120 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\RuntimeBroker.exe
PID 4996 wrote to memory of 1120 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatesession\1xwZLMSuNR5Dt6umDBBaTv.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Surrogatesession\N4Uo34sDWZJRkkmTLgJx4Vp3o.bat" "

C:\Surrogatesession\containerwebDll.exe

"C:\Surrogatesession\containerwebDll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Savanna\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Savanna\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Tasks\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Installer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Surrogatesession\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Surrogatesession\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Surrogatesession\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VO1TslH5FF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\RuntimeBroker.exe

"C:\Recovery\WindowsRE\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp

Files

C:\Surrogatesession\1xwZLMSuNR5Dt6umDBBaTv.vbe

MD5 b353782b478ab8d51d7db7288b6c34d6
SHA1 01a6464ed0e54e13b9e57330c35b6b5046ec2edd
SHA256 25829c9c131a81171c051150338821527a557d626793db627422f6cc49d29bec
SHA512 86bb86af7dae35fa31a3e7762b57421f9479ad4ce8707565b43f4bd1d07af314de574d9b7a1abc16ef2ea4f73140eba55c9afd606807aed1eb5cdfd12ffff033

C:\Surrogatesession\N4Uo34sDWZJRkkmTLgJx4Vp3o.bat

MD5 72050a7220ffa4b67c82fda3c5edbd3f
SHA1 7f6e6d7a8320e3a71702701e5b6b90d3c9542d7b
SHA256 8e58e86ee6a4a88e2576646356b35c3c38968c344c4e6c54d9321ff797cce6fa
SHA512 e2a3b27d311b3c78d1c90da3d7c9d8df9ae371ddc56c1f9b39e900ac53b59d473bc9168840e42a731ee377109732fe2332e6bcdf9cadfa7c78161f7944f0f362

C:\Surrogatesession\containerwebDll.exe

MD5 38ca9b97f4865f8fff319d891f9c365b
SHA1 68f3322e56cbb1fcd62f4ed69ccdc03f1eafa662
SHA256 b58427fa6cc17456c4970fc079f0f697ddb35260e7089fa07c66da9fb98aa3ad
SHA512 52f0ed397edc851ff18d20dd7ed7bdb447511e554807ab70e703b814e1cea439149ed7fa5f27380dc2683b4871ff1f9d109c40364818b8b1945b6a636c849eb9

memory/860-12-0x00007FFF7BD03000-0x00007FFF7BD05000-memory.dmp

memory/860-13-0x00000000007A0000-0x00000000008DE000-memory.dmp

memory/860-14-0x00000000010A0000-0x00000000010BC000-memory.dmp

memory/860-15-0x000000001B520000-0x000000001B570000-memory.dmp

memory/860-16-0x0000000002AF0000-0x0000000002B06000-memory.dmp

memory/860-17-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/860-18-0x00000000010C0000-0x00000000010CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VO1TslH5FF.bat

MD5 8c9c949c5351ab50ea385a1cc40a5678
SHA1 f23c2f27c9ea675c6ef7203b1b8fb3a6bb6f689b
SHA256 169fb8c85023fbee0debe068f4ca06d99058ecd97b84f0be1a9290c3ecb8827c
SHA512 dd81c25262d13e38ec6dc16293126260e2b6135681423761cea3bac8b1cb6d98de5321e2f30720b10a0cf5f2826d2e2884f3a3541564f9c38362c392a0e5b8e5