Analysis Overview
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
Threat Level: Known bad
The file 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Modifies WinLogon for persistence
Process spawned unexpected child process
Dcrat family
DCRat payload
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 08:15
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 08:15
Reported
2024-07-21 08:17
Platform
win7-20240705-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Default User\sppsvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Saved Games\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\sppsvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | C:\Users\Default User\sppsvc.exe |
| PID 2392 wrote to memory of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | C:\Users\Default User\sppsvc.exe |
| PID 2392 wrote to memory of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | C:\Users\Default User\sppsvc.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
C:\Users\Default User\sppsvc.exe
"C:\Users\Default User\sppsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | a1006461.xsph.ru | udp |
| RU | 141.8.197.42:80 | a1006461.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1006461.xsph.ru | tcp |
Files
memory/2392-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp
memory/2392-1-0x0000000000120000-0x000000000032E000-memory.dmp
memory/2392-2-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
memory/2392-3-0x00000000005D0000-0x00000000005DE000-memory.dmp
memory/2392-4-0x00000000006A0000-0x00000000006A8000-memory.dmp
memory/2392-5-0x000000001AD60000-0x000000001ADB6000-memory.dmp
memory/2392-6-0x00000000006B0000-0x00000000006BC000-memory.dmp
memory/2392-7-0x00000000006C0000-0x00000000006CC000-memory.dmp
memory/2392-8-0x0000000000760000-0x000000000076C000-memory.dmp
memory/2392-11-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe
| MD5 | 6e4e01af6b88116f0c7331bba5e7b782 |
| SHA1 | 756c0a5ea8aac86f41d118166452a011a608043c |
| SHA256 | 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147 |
| SHA512 | f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b |
memory/1484-39-0x0000000000BB0000-0x0000000000DBE000-memory.dmp
memory/2392-38-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-21 08:15
Reported
2024-07-21 08:17
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\es-ES\Idle.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Defender\es-ES\Idle.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | C:\Windows\System32\cmd.exe |
| PID 1632 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe | C:\Windows\System32\cmd.exe |
| PID 3252 wrote to memory of 4496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\w32tm.exe |
| PID 3252 wrote to memory of 4496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\w32tm.exe |
| PID 3252 wrote to memory of 4904 | N/A | C:\Windows\System32\cmd.exe | C:\Program Files\Windows Defender\es-ES\Idle.exe |
| PID 3252 wrote to memory of 4904 | N/A | C:\Windows\System32\cmd.exe | C:\Program Files\Windows Defender\es-ES\Idle.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HPrHHnYVoS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Defender\es-ES\Idle.exe
"C:\Program Files\Windows Defender\es-ES\Idle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | a1006461.xsph.ru | udp |
| RU | 141.8.197.42:80 | a1006461.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1006461.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1632-0-0x00007FFA56CE3000-0x00007FFA56CE5000-memory.dmp
memory/1632-1-0x00000000008E0000-0x0000000000AEE000-memory.dmp
memory/1632-2-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp
memory/1632-3-0x0000000001340000-0x000000000134E000-memory.dmp
memory/1632-5-0x0000000001490000-0x00000000014E6000-memory.dmp
memory/1632-4-0x0000000001370000-0x0000000001378000-memory.dmp
memory/1632-8-0x000000001B7A0000-0x000000001B7AC000-memory.dmp
memory/1632-7-0x000000001B790000-0x000000001B79C000-memory.dmp
memory/1632-6-0x000000001B770000-0x000000001B77C000-memory.dmp
memory/1632-11-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp
memory/1632-12-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp
C:\Program Files\Windows Defender\es-ES\Idle.exe
| MD5 | 6e4e01af6b88116f0c7331bba5e7b782 |
| SHA1 | 756c0a5ea8aac86f41d118166452a011a608043c |
| SHA256 | 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147 |
| SHA512 | f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b |
memory/1632-32-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HPrHHnYVoS.bat
| MD5 | 45b9f0350f051d06404e44581e8b58c2 |
| SHA1 | ab9f9b1084ba8144063ae4f21a44c4ca3b37c890 |
| SHA256 | bc4583c0f128c8454558fdbef196a545334a446a8dee6913ef4c1cdb04bf8eb3 |
| SHA512 | 9c74aaf02c46ca2794c477b94992f397834bf62ee60fafd549145fc538800888f62496fe126019b2aad73f29ecc361995cef92fbc252ad112681df26d5393ee4 |
memory/4904-37-0x000000001B390000-0x000000001B3E6000-memory.dmp