Malware Analysis Report

2024-10-10 13:07

Sample ID 240620-rswdxawgjn
Target AgE312YolF45.exe
SHA256 3f55ade4a555c326fc309c8478b1abe8acb9d24ca3496d5a3e65256c35b81ee7
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f55ade4a555c326fc309c8478b1abe8acb9d24ca3496d5a3e65256c35b81ee7

Threat Level: Known bad

The file AgE312YolF45.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

UAC bypass

DCRat payload

Disables Task Manager via registry modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Modifies registry key

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:27

Reported

2024-06-20 14:30

Platform

win7-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f3b6ecef712a24 C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\lsm.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\101b941d020240 C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Windows Journal\Templates\explorer.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Windows Journal\Templates\7a0fd90576e088 C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files (x86)\Windows Mail\it-IT\f3b6ecef712a24 C:\ReviewRuntimenet\ServerSaveshost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e C:\ReviewRuntimenet\ServerSaveshost.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 1512 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 2752 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 2752 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 2752 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 2936 wrote to memory of 1812 N/A C:\ReviewRuntimenet\ServerSaveshost.exe C:\Windows\System32\cmd.exe
PID 2936 wrote to memory of 1812 N/A C:\ReviewRuntimenet\ServerSaveshost.exe C:\Windows\System32\cmd.exe
PID 2936 wrote to memory of 1812 N/A C:\ReviewRuntimenet\ServerSaveshost.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1812 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1812 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1812 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\Prefetch\ReadyBoot\csrss.exe
PID 1812 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\Prefetch\ReadyBoot\csrss.exe
PID 1812 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\Windows\Prefetch\ReadyBoot\csrss.exe
PID 1696 wrote to memory of 1636 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 1636 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 1636 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 820 N/A C:\Windows\Prefetch\ReadyBoot\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Prefetch\ReadyBoot\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe

"C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ReviewRuntimenet\21ZjY.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat" "

C:\ReviewRuntimenet\ServerSaveshost.exe

"C:\ReviewRuntimenet\ServerSaveshost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ReviewRuntimenet\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ReviewRuntimenet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Prefetch\ReadyBoot\csrss.exe

"C:\Windows\Prefetch\ReadyBoot\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0998251.xsph.ru udp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
RU 141.8.194.149:80 a0998251.xsph.ru tcp

Files

C:\ReviewRuntimenet\21ZjY.vbe

MD5 09a35d6cb1e2ea076586988cdbcc940a
SHA1 7e062f07474330abdab5d77ad336bc0a3532ca89
SHA256 6d8ba67017098b244d617acea6d2e70b47db126ca14924b9a82703bae95a5c38
SHA512 2f3100f18b3aa18abdbead9e8955af0eebdf451ed0ec987306fcc73bda195933b8fe8c59be7a8f777192890260efb96edaf6b3c04ce56e3151c7a0c9ee960f7c

C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat

MD5 285b91a7a5b84ebdca3dc8f49a68638c
SHA1 61c9262f49da3afdf6310efd11108adb9b8283ff
SHA256 59ddfb2705077e864946fe450625206671a1faafc9e46704ca108b4196d24f99
SHA512 7ce8348ddb6571aaadcce2e8780d3032055a2bded51e9dd4a2eb1aa1f7f24ea9258322dae8c15223ed92b83681f2b5333b0e828239624b1e929771a4b670601d

C:\ReviewRuntimenet\ServerSaveshost.exe

MD5 88e250828f656440b29f7be2b67b5d44
SHA1 86c19cccc181827c99f8703f017ee2d22a1ffe1e
SHA256 67d4916350ff960cd46e98f0c1d00290b63eb8a6c94c3595e76245d4ae4706d0
SHA512 11c7da52c1a67af894608dad046cf85947f64e74ecaae20edbf3f748ee0a9b65d3a5a03ceb1a690016de883fa39a5fba384cb6d031a09a086e323367f7de3c1f

memory/2936-13-0x0000000000D90000-0x0000000000F44000-memory.dmp

memory/2936-14-0x0000000000150000-0x000000000016C000-memory.dmp

memory/2936-15-0x0000000000370000-0x0000000000378000-memory.dmp

memory/2936-16-0x0000000000380000-0x0000000000390000-memory.dmp

memory/2936-17-0x0000000000510000-0x0000000000526000-memory.dmp

memory/2936-18-0x0000000000640000-0x0000000000648000-memory.dmp

memory/2936-19-0x0000000000650000-0x000000000065A000-memory.dmp

memory/2936-20-0x0000000000660000-0x000000000066C000-memory.dmp

memory/2936-21-0x0000000000670000-0x0000000000682000-memory.dmp

memory/2936-22-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2936-23-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2936-24-0x000000001A6E0000-0x000000001A6EA000-memory.dmp

memory/2936-25-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

memory/2936-26-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

memory/2936-27-0x000000001A6D0000-0x000000001A6DA000-memory.dmp

memory/2936-28-0x000000001A8D0000-0x000000001A8DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bp2QSrQG1f.bat

MD5 bbaa8dc024c5443c733dc9bea0bc6867
SHA1 2dceb80cf2db133a2febff76767c0fb96d11d682
SHA256 af0cdd446ec2a2aeca814db2dc871f9b2326c75c2c915ad181a69a3f5fdb009c
SHA512 535d846c74f3eb3666447e551c3011931642eac6f86d49f577b59a6ae1acb39825265aa2fdd58a3c7508c4c3e247f5c78520e53528bb03003ad7455d97a45736

memory/1696-56-0x0000000000030000-0x00000000001E4000-memory.dmp

memory/1696-57-0x0000000000920000-0x0000000000932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ca9caac2-0768-4a73-8b8a-dd2fc8c21f8c.vbs

MD5 1c481223b8099c98cab692f597865dee
SHA1 1015dc2476dd3e8b3318590c3b01c0682fb0dc41
SHA256 38659c5e3886ba04e5bffeb716b55cb38a9b1c6648251fe0a033837a61c727f2
SHA512 40cd2963de7b4365a32b35eca77446f0bf1a1152df1cd934c51b6ec3bbecb7b433409a4b6294d1f626962fa0e21d9436b48158f5246fa21ba7bf06ce7d05c9ad

C:\Users\Admin\AppData\Local\Temp\197153c0-cdbd-4f7c-903b-943b36c4b484.vbs

MD5 bd4c600493d8b3ebd31c567615c86f8b
SHA1 8e67b7fccff39954c19672b603f06b1e5a96235c
SHA256 1753230cbb0f1f6a54464b5810e8a7f3efcfbbe80fdfb8560889babb33eff8fd
SHA512 ab58c3eb65f99565b53964bb5b66f425ec55c7a2fd349ec53c9ec9344bcf43e12fe957b1a3b63df928cc3ab31cf6d5ea2b8166ed7e058f2b7aa9b64a0585d157

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:27

Reported

2024-06-20 14:28

Platform

win10v2004-20240611-en

Max time kernel

20s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\Web\System.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Web\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\BrowserCore\en-US\services.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3 C:\ReviewRuntimenet\ServerSaveshost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Web\System.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Windows\Web\27d1bcfc3c54e0 C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Windows\twain_32\SearchApp.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Windows\twain_32\38384e6a620884 C:\ReviewRuntimenet\ServerSaveshost.exe N/A
File created C:\Windows\CSC\RuntimeBroker.exe C:\ReviewRuntimenet\ServerSaveshost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\Web\System.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A
N/A N/A C:\Windows\Web\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\System.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 3664 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 3664 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe C:\Windows\SysWOW64\WScript.exe
PID 5008 wrote to memory of 208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 208 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\ReviewRuntimenet\ServerSaveshost.exe
PID 4876 wrote to memory of 1864 N/A C:\ReviewRuntimenet\ServerSaveshost.exe C:\Windows\Web\System.exe
PID 4876 wrote to memory of 1864 N/A C:\ReviewRuntimenet\ServerSaveshost.exe C:\Windows\Web\System.exe
PID 208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1864 wrote to memory of 396 N/A C:\Windows\Web\System.exe C:\Windows\System32\WScript.exe
PID 1864 wrote to memory of 396 N/A C:\Windows\Web\System.exe C:\Windows\System32\WScript.exe
PID 1864 wrote to memory of 4908 N/A C:\Windows\Web\System.exe C:\Windows\System32\WScript.exe
PID 1864 wrote to memory of 4908 N/A C:\Windows\Web\System.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Web\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\ReviewRuntimenet\ServerSaveshost.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe

"C:\Users\Admin\AppData\Local\Temp\AgE312YolF45.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ReviewRuntimenet\21ZjY.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat" "

C:\ReviewRuntimenet\ServerSaveshost.exe

"C:\ReviewRuntimenet\ServerSaveshost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\Web\System.exe

"C:\Windows\Web\System.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0473d2-6cca-4c25-8989-06bbf8b71137.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\475384d0-59a6-448f-a3f4-f7e0cc3df93c.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 a0998251.xsph.ru udp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
RU 141.8.194.149:80 a0998251.xsph.ru tcp
US 8.8.8.8:53 149.194.8.141.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp

Files

C:\ReviewRuntimenet\21ZjY.vbe

MD5 09a35d6cb1e2ea076586988cdbcc940a
SHA1 7e062f07474330abdab5d77ad336bc0a3532ca89
SHA256 6d8ba67017098b244d617acea6d2e70b47db126ca14924b9a82703bae95a5c38
SHA512 2f3100f18b3aa18abdbead9e8955af0eebdf451ed0ec987306fcc73bda195933b8fe8c59be7a8f777192890260efb96edaf6b3c04ce56e3151c7a0c9ee960f7c

C:\ReviewRuntimenet\TQG4xYGlGcFKVrVpNsWy.bat

MD5 285b91a7a5b84ebdca3dc8f49a68638c
SHA1 61c9262f49da3afdf6310efd11108adb9b8283ff
SHA256 59ddfb2705077e864946fe450625206671a1faafc9e46704ca108b4196d24f99
SHA512 7ce8348ddb6571aaadcce2e8780d3032055a2bded51e9dd4a2eb1aa1f7f24ea9258322dae8c15223ed92b83681f2b5333b0e828239624b1e929771a4b670601d

C:\ReviewRuntimenet\ServerSaveshost.exe

MD5 88e250828f656440b29f7be2b67b5d44
SHA1 86c19cccc181827c99f8703f017ee2d22a1ffe1e
SHA256 67d4916350ff960cd46e98f0c1d00290b63eb8a6c94c3595e76245d4ae4706d0
SHA512 11c7da52c1a67af894608dad046cf85947f64e74ecaae20edbf3f748ee0a9b65d3a5a03ceb1a690016de883fa39a5fba384cb6d031a09a086e323367f7de3c1f

memory/4876-12-0x00007FFFB9DA3000-0x00007FFFB9DA5000-memory.dmp

memory/4876-13-0x0000000000CE0000-0x0000000000E94000-memory.dmp

memory/4876-14-0x00000000030C0000-0x00000000030DC000-memory.dmp

memory/4876-15-0x000000001BA10000-0x000000001BA60000-memory.dmp

memory/4876-16-0x00000000016C0000-0x00000000016C8000-memory.dmp

memory/4876-17-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/4876-18-0x00000000030F0000-0x0000000003106000-memory.dmp

memory/4876-19-0x0000000003110000-0x0000000003118000-memory.dmp

memory/4876-20-0x0000000003120000-0x000000000312A000-memory.dmp

memory/4876-21-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/4876-22-0x000000001BA70000-0x000000001BA82000-memory.dmp

memory/4876-23-0x000000001C730000-0x000000001CC58000-memory.dmp

memory/4876-24-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

memory/4876-25-0x000000001BAB0000-0x000000001BABC000-memory.dmp

memory/4876-26-0x000000001C450000-0x000000001C45A000-memory.dmp

memory/4876-29-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

memory/4876-28-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

memory/4876-30-0x000000001C300000-0x000000001C30C000-memory.dmp

memory/4876-27-0x000000001C460000-0x000000001C46E000-memory.dmp

memory/1864-56-0x0000000002870000-0x0000000002882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc0473d2-6cca-4c25-8989-06bbf8b71137.vbs

MD5 35575a15c51e5c12fc337c149f834fb2
SHA1 e741545a864d8a99b02e248651dafdbe529a3dee
SHA256 858513d9c5e2ee0ef43986f67c757022180ae557d2e1a684b899dc8f1b52d126
SHA512 2a89c47eb21fc2114800e62beb23388d1d750e8e69dcdb96fe8a37d844dedf4d28a6f22750fae9f101a155a7d1daef8678084f875ae22efc91d6fb435ed2c1d0

C:\Users\Admin\AppData\Local\Temp\475384d0-59a6-448f-a3f4-f7e0cc3df93c.vbs

MD5 d4a421b84b238345a2c4ffc54255046c
SHA1 15d3ac77e9459b2fd2bfaa8437cff3cf4595ad0b
SHA256 d643000d9584ce97c67833a314ca28e25152cbe1728f326b95048d65a03e5dbd
SHA512 b2c0b412758217683ccfbf0e395911b58ff38601f89a32ca04bb09bd7915865ced92b4cd84de30fa0c6c2e55336e1a0bd5b267f3cdce15bd48ddf67cc678b73e