Malware Analysis Report

2024-10-10 13:06

Sample ID 240621-bgzzysycjn
Target DCRatBuild.exe
SHA256 d07d79bfaecfaad730b473aedbedd0b1c49b5361f74aab3a79c7a37c623527eb
Tags
rat dcrat evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d07d79bfaecfaad730b473aedbedd0b1c49b5361f74aab3a79c7a37c623527eb

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer trojan

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

UAC bypass

DCRat payload

Disables Task Manager via registry modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry key

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 01:07

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 01:07

Reported

2024-06-21 01:18

Platform

win7-20240611-en

Max time kernel

600s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\es-ES\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\es-ES\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\es-ES\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\System32\perfmon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Icons\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\886983d96e3d3e C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Windows\es-ES\explorer.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Windows\es-ES\7a0fd90576e088 C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Windows\CSC\v2.0.6\lsm.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Windows\debug\csrss.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File opened for modification C:\Windows\debug\csrss.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\perfmon.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\perfmon.exe N/A
N/A N/A C:\Windows\es-ES\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\es-ES\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\perfmon.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\perfmon.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\perfmon.exe N/A
Token: 33 N/A C:\Windows\System32\perfmon.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\perfmon.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2720 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 2700 wrote to memory of 796 N/A C:\PortFontMonitornetcommon\BrokerSvc.exe C:\Windows\es-ES\explorer.exe
PID 2700 wrote to memory of 796 N/A C:\PortFontMonitornetcommon\BrokerSvc.exe C:\Windows\es-ES\explorer.exe
PID 2700 wrote to memory of 796 N/A C:\PortFontMonitornetcommon\BrokerSvc.exe C:\Windows\es-ES\explorer.exe
PID 2716 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 2396 N/A C:\Windows\system32\resmon.exe C:\Windows\System32\perfmon.exe
PID 1616 wrote to memory of 2396 N/A C:\Windows\system32\resmon.exe C:\Windows\System32\perfmon.exe
PID 1616 wrote to memory of 2396 N/A C:\Windows\system32\resmon.exe C:\Windows\System32\perfmon.exe
PID 2820 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe
PID 2820 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe
PID 2820 wrote to memory of 2392 N/A C:\Windows\system32\taskeng.exe C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe
PID 2820 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2820 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2820 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\es-ES\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\es-ES\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\es-ES\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat" "

C:\PortFontMonitornetcommon\BrokerSvc.exe

"C:\PortFontMonitornetcommon\BrokerSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe'" /rl HIGHEST /f

C:\Windows\es-ES\explorer.exe

"C:\Windows\es-ES\explorer.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\resmon.exe

"C:\Windows\system32\resmon.exe"

C:\Windows\System32\perfmon.exe

"C:\Windows\System32\perfmon.exe" /res

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x594

C:\Windows\system32\taskeng.exe

taskeng.exe {E2411835-5D54-4D74-9591-D65514FE3259} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]

C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe

C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\services.exe

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0990484.xsph.ru udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 252.0.0.224.in-addr.arpa udp
US 8.8.8.8:53 3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
US 8.8.8.8:53 255.255.127.10.in-addr.arpa udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp

Files

C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe

MD5 e2723c4480fd7a7a5d8c46cb7bd7010e
SHA1 8ece7fa1a4cc39d5d439c13c8670c416ce4da987
SHA256 8064029eab99ac1caed8414e03b5e7c981de56a6fcb7bdce3aa3b3438f430a2b
SHA512 8ad0e2d16feaf91c9fc016b048721819d0b0ee5b4802371e5317b1b27ff7368fddd8ad6179de024c478d61fba3273727a3d94a59faef36a3b1cd2cdab32f6c51

C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat

MD5 e09688b8cdb47414e341937de481c43d
SHA1 e799a6166c872f085d62a5ea580b0798be36835d
SHA256 949721b3bf385d01afc6b13e3c3ad7f37d87d29c49f243e2d59d4152925ee31b
SHA512 c6a2aa753e0feaf0549cd22ace526a81c219b1b5513bb8a83154d6adeeb3db0536a4c0f0a9cb14373934ce400f8ed4681046e53bd175da5be10c0b7548690017

C:\PortFontMonitornetcommon\BrokerSvc.exe

MD5 fc27116ce1b57a71d7d201e9aae86b01
SHA1 ff047b7c918d9ff388b5c4928bfad5dcc818f1d4
SHA256 121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
SHA512 25747516de2d99e6193fc920435ececf1b7ddb8990487d26d03cf6179b7dab0f5172c0dfa5d4db4a29028c00c12a9fb266bc14d6920e864d6a3934af7748618b

memory/2700-13-0x0000000000CE0000-0x0000000000F5A000-memory.dmp

memory/2700-14-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2700-15-0x00000000001D0000-0x00000000001EC000-memory.dmp

memory/2700-16-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2700-17-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2700-18-0x0000000000490000-0x00000000004E6000-memory.dmp

memory/2700-19-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/2700-20-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2700-21-0x0000000000510000-0x000000000051C000-memory.dmp

memory/2700-22-0x0000000000520000-0x000000000052C000-memory.dmp

memory/2700-23-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

memory/2700-24-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

memory/2700-25-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

memory/2700-26-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/796-41-0x0000000000E90000-0x000000000110A000-memory.dmp

memory/2396-65-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2396-66-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2396-67-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2392-71-0x0000000000200000-0x000000000047A000-memory.dmp

memory/2600-74-0x0000000000970000-0x0000000000BEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 01:07

Reported

2024-06-21 01:18

Platform

win10v2004-20240611-en

Max time kernel

600s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\e1ef82546f0b02 C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ea9f0e6c9e2dcd C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Sun\Java\Deployment\conhost.exe C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
File created C:\Windows\Sun\Java\Deployment\088424020bedd6 C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\PortFontMonitornetcommon\BrokerSvc.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Token: SeDebugPrivilege N/A C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Sun\Java\Deployment\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 4656 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 4656 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 4656 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 4656 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\PortFontMonitornetcommon\BrokerSvc.exe
PID 840 wrote to memory of 4408 N/A C:\PortFontMonitornetcommon\BrokerSvc.exe C:\Windows\System32\cmd.exe
PID 840 wrote to memory of 4408 N/A C:\PortFontMonitornetcommon\BrokerSvc.exe C:\Windows\System32\cmd.exe
PID 4656 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4656 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4656 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4408 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\PortFontMonitornetcommon\backgroundTaskHost.exe
PID 4408 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\PortFontMonitornetcommon\backgroundTaskHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\PortFontMonitornetcommon\BrokerSvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\PortFontMonitornetcommon\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat" "

C:\PortFontMonitornetcommon\BrokerSvc.exe

"C:\PortFontMonitornetcommon\BrokerSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\PortFontMonitornetcommon\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w3ky7Mcri9.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\PortFontMonitornetcommon\backgroundTaskHost.exe

"C:\PortFontMonitornetcommon\backgroundTaskHost.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\Sun\Java\Deployment\conhost.exe

C:\Windows\Sun\Java\Deployment\conhost.exe

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 a0990484.xsph.ru udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
RU 141.8.192.103:80 a0990484.xsph.ru tcp

Files

C:\PortFontMonitornetcommon\l8BmlyiJVw1zyyh.vbe

MD5 e2723c4480fd7a7a5d8c46cb7bd7010e
SHA1 8ece7fa1a4cc39d5d439c13c8670c416ce4da987
SHA256 8064029eab99ac1caed8414e03b5e7c981de56a6fcb7bdce3aa3b3438f430a2b
SHA512 8ad0e2d16feaf91c9fc016b048721819d0b0ee5b4802371e5317b1b27ff7368fddd8ad6179de024c478d61fba3273727a3d94a59faef36a3b1cd2cdab32f6c51

C:\PortFontMonitornetcommon\WdaIp4pfENVLh3Iemy6UjaXhu.bat

MD5 e09688b8cdb47414e341937de481c43d
SHA1 e799a6166c872f085d62a5ea580b0798be36835d
SHA256 949721b3bf385d01afc6b13e3c3ad7f37d87d29c49f243e2d59d4152925ee31b
SHA512 c6a2aa753e0feaf0549cd22ace526a81c219b1b5513bb8a83154d6adeeb3db0536a4c0f0a9cb14373934ce400f8ed4681046e53bd175da5be10c0b7548690017

C:\PortFontMonitornetcommon\BrokerSvc.exe

MD5 fc27116ce1b57a71d7d201e9aae86b01
SHA1 ff047b7c918d9ff388b5c4928bfad5dcc818f1d4
SHA256 121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
SHA512 25747516de2d99e6193fc920435ececf1b7ddb8990487d26d03cf6179b7dab0f5172c0dfa5d4db4a29028c00c12a9fb266bc14d6920e864d6a3934af7748618b

memory/840-12-0x00007FF8D8EC3000-0x00007FF8D8EC5000-memory.dmp

memory/840-13-0x0000000000920000-0x0000000000B9A000-memory.dmp

memory/840-14-0x000000001B7A0000-0x000000001B7AE000-memory.dmp

memory/840-15-0x000000001B7B0000-0x000000001B7CC000-memory.dmp

memory/840-16-0x000000001BD30000-0x000000001BD80000-memory.dmp

memory/840-18-0x000000001BCF0000-0x000000001BCFA000-memory.dmp

memory/840-17-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

memory/840-19-0x000000001BD80000-0x000000001BDD6000-memory.dmp

memory/840-20-0x000000001BD00000-0x000000001BD0C000-memory.dmp

memory/840-21-0x000000001BD10000-0x000000001BD18000-memory.dmp

memory/840-22-0x000000001BD20000-0x000000001BD2C000-memory.dmp

memory/840-23-0x000000001BDD0000-0x000000001BDDC000-memory.dmp

memory/840-24-0x000000001C150000-0x000000001C15C000-memory.dmp

memory/840-25-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

memory/840-26-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

memory/840-27-0x000000001C000000-0x000000001C00C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w3ky7Mcri9.bat

MD5 0971871ced868145f38160c1a5df6519
SHA1 981499b94a98f506f36c773209c64c1dbbc5728b
SHA256 6dea0dd9907223d82c52957047978c15fa5df167aafccd0b9c057fd2043e3b5a
SHA512 6f9db2696a197ee0d0d046ece1d469a4ba8c760db9cd781d1e2bc3ae88c6021423cc2b060d985e7273cb515dba0006582f1f9ded591b8633f51f182682dc0d9c

memory/1848-47-0x000000001C200000-0x000000001C256000-memory.dmp

memory/1848-48-0x000000001D370000-0x000000001D532000-memory.dmp