Malware Analysis Report

2024-11-13 13:46

Sample ID 240717-de1vkssgqp
Target cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
SHA256 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20

Threat Level: Known bad

The file cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

Process spawned unexpected child process

DCRat payload

Modifies WinLogon for persistence

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 02:56

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 02:56

Reported

2024-07-17 02:58

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Surrogatewebref\reviewcommon.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Desktop\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Desktop\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewcommon = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewcommon = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\db\05a592a64ec401 C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\6ccacd8608530f C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe C:\Surrogatewebref\reviewcommon.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\7a0fd90576e088 C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe C:\Surrogatewebref\reviewcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\56085415360792 C:\Surrogatewebref\reviewcommon.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Surrogatewebref\reviewcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3004 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 2872 wrote to memory of 2168 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2168 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2168 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1984 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1984 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1984 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2184 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2184 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2184 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2088 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2088 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2088 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2340 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2340 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2340 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2300 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2300 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2300 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2908 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2908 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2908 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2248 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe
PID 2872 wrote to memory of 2248 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe
PID 2872 wrote to memory of 2248 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe

"C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\0OThNUtq.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Surrogatewebref\W7CNC.bat" "

C:\Surrogatewebref\reviewcommon.exe

"C:\Surrogatewebref\reviewcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewcommonr" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewcommon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewcommonr" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogatewebref\reviewcommon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'

C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe

"C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0999665.xsph.ru udp
RU 141.8.192.103:80 a0999665.xsph.ru tcp
RU 141.8.192.103:80 a0999665.xsph.ru tcp

Files

C:\Surrogatewebref\0OThNUtq.vbe

MD5 013e4068fecbf70a6305a10f4baac7d0
SHA1 113ac6511cb6965dc872d284552ea129e1e41973
SHA256 f087215bae0916b3575743a62c0d6722e6e78623f8046a53f8914661b3c6a10e
SHA512 f50fb4b24aa8846c94fba07e07b0f5e71b7c67b9843c34951eb4b4fbb7de8309d1441c16359621402659b3c4a406dccc93ea79056030f63adf8a359934cd3940

C:\Surrogatewebref\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\Surrogatewebref\W7CNC.bat

MD5 b0d15fb085639d7d63a9556af4bdfced
SHA1 8a5498b0d47fbeae2c9452ceb8f413f4b1d3ac0b
SHA256 2e7b9e10897a9224a935716fbefe4c362d8a09ef9176a8ed794741e7418521b5
SHA512 d88ab6f23c8e08dd82443239451b84de849a967d08d20b84894e8cf134ad2789c2e9c9e92d6d1c3da0b9e3e0bcecd4a86d5b24fe167f4f6f8a3a5ad8f5b0e146

\Surrogatewebref\reviewcommon.exe

MD5 2691a48220ece165313a2096d4be7788
SHA1 bb9d65345c7aae09cd340e8b2eae8e3a8ff45f96
SHA256 20a6875053a9b02e3dca4c650b698f5eb0f22119b6d51317043c5953aab00a55
SHA512 13c70c3a44aa67a29e066d6c7e283574d165fa2a1e6bfc4be992ff6fcfc9c1a126b97fd64f18dfbe4e5d27eae75e8b6e6325f3ae96871afb2aef006e6589023f

memory/2872-18-0x0000000000A60000-0x0000000000D6A000-memory.dmp

memory/2872-19-0x00000000001D0000-0x00000000001DE000-memory.dmp

memory/2872-20-0x00000000004A0000-0x00000000004AE000-memory.dmp

memory/2872-21-0x0000000000630000-0x0000000000638000-memory.dmp

memory/2872-22-0x0000000000640000-0x000000000065C000-memory.dmp

memory/2872-23-0x0000000000A20000-0x0000000000A36000-memory.dmp

memory/2872-24-0x0000000000A40000-0x0000000000A52000-memory.dmp

memory/2872-25-0x0000000002270000-0x000000000227C000-memory.dmp

memory/2872-26-0x0000000000A50000-0x0000000000A60000-memory.dmp

memory/2872-27-0x0000000002280000-0x000000000228C000-memory.dmp

memory/2872-28-0x0000000002290000-0x00000000022E6000-memory.dmp

memory/2872-29-0x0000000002360000-0x000000000236C000-memory.dmp

memory/2872-30-0x000000001A900000-0x000000001A90C000-memory.dmp

memory/2872-31-0x000000001A910000-0x000000001A918000-memory.dmp

memory/2872-32-0x000000001A920000-0x000000001A932000-memory.dmp

memory/2872-33-0x000000001A930000-0x000000001A93C000-memory.dmp

memory/2872-34-0x000000001AA40000-0x000000001AA48000-memory.dmp

memory/2872-35-0x000000001AF20000-0x000000001AF2C000-memory.dmp

memory/2872-36-0x000000001AF30000-0x000000001AF3E000-memory.dmp

memory/2872-37-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

memory/2872-38-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e641cc6515ffcfb1560c3218c3b25420
SHA1 3eef975f89027a39c22405de798e564030285b64
SHA256 922e7c881b6296f547274e86663027abba2a750a82b5f6ad001cb71f427e8497
SHA512 5605a329f946b3f8f83301ab44c591ec1716b550a7e86dcd9f9dd01258b4ff2e13f51e20b0f415de5023693c5bc6c071dccd51e5f27de5fb007c0f48505290e1

memory/2248-57-0x00000000003D0000-0x00000000006DA000-memory.dmp

memory/2300-93-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2248-94-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2300-87-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2248-95-0x00000000021D0000-0x0000000002226000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 02:56

Reported

2024-07-17 02:58

Platform

win10v2004-20240709-en

Max time kernel

136s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Surrogatewebref\\System.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Surrogatewebref\\System.exe\", \"C:\\Users\\Admin\\3D Objects\\fontdrvhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Surrogatewebref\\System.exe\", \"C:\\Users\\Admin\\3D Objects\\fontdrvhost.exe\", \"C:\\Windows\\Resources\\Themes\\aero\\en-US\\sihost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Surrogatewebref\\System.exe\", \"C:\\Users\\Admin\\3D Objects\\fontdrvhost.exe\", \"C:\\Windows\\Resources\\Themes\\aero\\en-US\\sihost.exe\", \"C:\\Windows\\Vss\\Writers\\System\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Surrogatewebref\reviewcommon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Surrogatewebref\reviewcommon.exe N/A
N/A N/A C:\Users\Admin\3D Objects\fontdrvhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\3D Objects\\fontdrvhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\Resources\\Themes\\aero\\en-US\\sihost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\Resources\\Themes\\aero\\en-US\\sihost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Vss\\Writers\\System\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Vss\\Writers\\System\\services.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Surrogatewebref\\System.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Surrogatewebref\\System.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\3D Objects\\fontdrvhost.exe\"" C:\Surrogatewebref\reviewcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\Themes\aero\en-US\sihost.exe C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Windows\Resources\Themes\aero\en-US\66fc9ff0ee96c2 C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Windows\Vss\Writers\System\services.exe C:\Surrogatewebref\reviewcommon.exe N/A
File created C:\Windows\Vss\Writers\System\c5b4cb5e9653cc C:\Surrogatewebref\reviewcommon.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Surrogatewebref\reviewcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3424 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3424 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3424 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3424 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3424 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe C:\Windows\SysWOW64\WScript.exe
PID 3108 wrote to memory of 4036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 4036 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogatewebref\reviewcommon.exe
PID 1676 wrote to memory of 3636 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3636 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 540 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 540 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2176 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2176 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 4772 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 4772 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3040 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3040 N/A C:\Surrogatewebref\reviewcommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2912 N/A C:\Surrogatewebref\reviewcommon.exe C:\Users\Admin\3D Objects\fontdrvhost.exe
PID 1676 wrote to memory of 2912 N/A C:\Surrogatewebref\reviewcommon.exe C:\Users\Admin\3D Objects\fontdrvhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe

"C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\0OThNUtq.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Surrogatewebref\W7CNC.bat" "

C:\Surrogatewebref\reviewcommon.exe

"C:\Surrogatewebref\reviewcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Surrogatewebref\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Surrogatewebref\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Surrogatewebref\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\aero\en-US\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\en-US\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\aero\en-US\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogatewebref\reviewcommon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogatewebref\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\en-US\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\services.exe'

C:\Users\Admin\3D Objects\fontdrvhost.exe

"C:\Users\Admin\3D Objects\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 a0999665.xsph.ru udp
RU 141.8.192.103:80 a0999665.xsph.ru tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.103:80 a0999665.xsph.ru tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

C:\Surrogatewebref\0OThNUtq.vbe

MD5 013e4068fecbf70a6305a10f4baac7d0
SHA1 113ac6511cb6965dc872d284552ea129e1e41973
SHA256 f087215bae0916b3575743a62c0d6722e6e78623f8046a53f8914661b3c6a10e
SHA512 f50fb4b24aa8846c94fba07e07b0f5e71b7c67b9843c34951eb4b4fbb7de8309d1441c16359621402659b3c4a406dccc93ea79056030f63adf8a359934cd3940

C:\Surrogatewebref\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\Surrogatewebref\W7CNC.bat

MD5 b0d15fb085639d7d63a9556af4bdfced
SHA1 8a5498b0d47fbeae2c9452ceb8f413f4b1d3ac0b
SHA256 2e7b9e10897a9224a935716fbefe4c362d8a09ef9176a8ed794741e7418521b5
SHA512 d88ab6f23c8e08dd82443239451b84de849a967d08d20b84894e8cf134ad2789c2e9c9e92d6d1c3da0b9e3e0bcecd4a86d5b24fe167f4f6f8a3a5ad8f5b0e146

C:\Surrogatewebref\reviewcommon.exe

MD5 2691a48220ece165313a2096d4be7788
SHA1 bb9d65345c7aae09cd340e8b2eae8e3a8ff45f96
SHA256 20a6875053a9b02e3dca4c650b698f5eb0f22119b6d51317043c5953aab00a55
SHA512 13c70c3a44aa67a29e066d6c7e283574d165fa2a1e6bfc4be992ff6fcfc9c1a126b97fd64f18dfbe4e5d27eae75e8b6e6325f3ae96871afb2aef006e6589023f

memory/1676-17-0x0000000000EE0000-0x00000000011EA000-memory.dmp

memory/1676-18-0x0000000003400000-0x000000000340E000-memory.dmp

memory/1676-19-0x0000000003410000-0x000000000341E000-memory.dmp

memory/1676-20-0x0000000003540000-0x0000000003548000-memory.dmp

memory/1676-21-0x0000000003550000-0x000000000356C000-memory.dmp

memory/1676-22-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

memory/1676-23-0x0000000003570000-0x0000000003586000-memory.dmp

memory/1676-24-0x0000000003590000-0x00000000035A2000-memory.dmp

memory/1676-25-0x00000000035A0000-0x00000000035AC000-memory.dmp

memory/1676-26-0x00000000035B0000-0x00000000035C0000-memory.dmp

memory/1676-27-0x00000000035C0000-0x00000000035CC000-memory.dmp

memory/1676-28-0x000000001BDF0000-0x000000001BE46000-memory.dmp

memory/1676-29-0x000000001BE40000-0x000000001BE4C000-memory.dmp

memory/1676-30-0x000000001C810000-0x000000001C81C000-memory.dmp

memory/1676-31-0x000000001C820000-0x000000001C828000-memory.dmp

memory/1676-32-0x000000001C830000-0x000000001C842000-memory.dmp

memory/1676-33-0x000000001CD90000-0x000000001D2B8000-memory.dmp

memory/1676-34-0x000000001C860000-0x000000001C86C000-memory.dmp

memory/1676-35-0x000000001C870000-0x000000001C878000-memory.dmp

memory/1676-36-0x000000001C980000-0x000000001C98C000-memory.dmp

memory/1676-37-0x000000001C880000-0x000000001C88E000-memory.dmp

memory/1676-38-0x000000001C890000-0x000000001C89E000-memory.dmp

memory/1676-39-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

memory/2176-64-0x000001B3C93E0000-0x000001B3C9402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_navmwc30.jew.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29