Malware Analysis Report

2024-10-10 13:04

Sample ID 240618-wm463stdkf
Target 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e

Threat Level: Known bad

The file 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:03

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:03

Reported

2024-06-18 18:05

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\All Users\Adobe\Updater6\services.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ja-JP\Idle.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files\7-Zip\Lang\wininit.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files\7-Zip\Lang\56085415360792 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\database\56085415360792 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\security\database\wininit.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Adobe\Updater6\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe

"C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Updater6\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\database\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tWpJV5Zrk7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Adobe\Updater6\services.exe

"C:\Users\All Users\Adobe\Updater6\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 a0994622.xsph.ru udp
RU 141.8.192.58:80 a0994622.xsph.ru tcp

Files

memory/1320-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

memory/1320-1-0x0000000000FE0000-0x00000000010B6000-memory.dmp

memory/1320-2-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

C:\ProgramData\Adobe\Updater6\services.exe

MD5 524b2b64f6d71da4fe34437ce40975da
SHA1 a3c9bc5e512ad28a45b2e9f23e3cd58a5aa6f4bc
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
SHA512 38f71021fb59f80bb08fa60c35d792192e57ea216d2299b8e060aee64d1c79eafa381b8715276560b9306fa696cf05cda41b46ee194a27c6346504de5d5c9a40

C:\Users\Admin\AppData\Local\Temp\tWpJV5Zrk7.bat

MD5 aad84724ff83aa0c10ebe0bbf4e3bb44
SHA1 71ea1f7644a94d7ab56e849df39a9d4673e5fc58
SHA256 6aadfd90c77a358a0a5f43436e839e8d3f2cce3231e1c5af1fa4b8daa00f7788
SHA512 d61b93e6a6d33d8bee0832d9126d795299f1cd2ca02344ff2a9f18c154efc9d296697716434a1329706c834f58a558f4622fa952897b2317c57d14ed82c42298

memory/1320-22-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

memory/2752-25-0x0000000000970000-0x0000000000A46000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:03

Reported

2024-06-18 18:05

Platform

win10v2004-20240611-en

Max time kernel

115s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\msedge.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\ImmersiveControlPanel\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\servicing\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\Tasks\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\Tasks\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe

"C:\Users\Admin\AppData\Local\Temp\9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uhjCmtzLp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe

"C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1428,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
GB 52.123.242.9:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 a0994622.xsph.ru udp
RU 141.8.192.58:80 a0994622.xsph.ru tcp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/2464-0-0x00007FFCB8363000-0x00007FFCB8365000-memory.dmp

memory/2464-1-0x0000000000440000-0x0000000000516000-memory.dmp

memory/2464-4-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

C:\Windows\Tasks\dllhost.exe

MD5 524b2b64f6d71da4fe34437ce40975da
SHA1 a3c9bc5e512ad28a45b2e9f23e3cd58a5aa6f4bc
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
SHA512 38f71021fb59f80bb08fa60c35d792192e57ea216d2299b8e060aee64d1c79eafa381b8715276560b9306fa696cf05cda41b46ee194a27c6346504de5d5c9a40

memory/2464-28-0x00007FFCB8360000-0x00007FFCB8E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0uhjCmtzLp.bat

MD5 195ce5f76102aa88b1cd4bd060b93519
SHA1 9b637b5a0a74f15582745d12685bf98054a1535e
SHA256 bb06e679330696164352ed61be96e9ad35317b80449ebe55771a1cb1d4c40eda
SHA512 d3591a6562544c0784975e868825afc652d57e3164fc96ffbe45687723512463eed45da3dd11bf3b8b8ef2112a8d3ace55b189606fedea3c84fb0bc1d2ed4888