Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 06:00
Static task
static1
Behavioral task
behavioral1
Sample
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
Resource
win10v2004-20240709-en
General
-
Target
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
-
Size
3.2MB
-
MD5
b49ab1057d8a84fcfab28e98cfbf7330
-
SHA1
b5740a5eeef81280e7b7c9556487d3d5e21725f0
-
SHA256
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4
-
SHA512
d2ba08fee9f409d9b994fa66ac2db1b28f87590ced2461bde6f776bb0289fc2dbdea1ff725bdfca12dd4caadfc15560b2dc5a5fb60578dbe517e60de7d2d6149
-
SSDEEP
98304:+9ckJgZJBx32c8a3TiHPBeZRuyO7AqY3UkWcT:+mRDiHPBeZBOc
Malware Config
Extracted
redline
MAD
185.189.14.66:4090
Signatures
-
DcRat 9 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exefontreviewdriverRuntimeCrtwinSessionNet.exeschtasks.exeschtasks.execaad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exepid process 2248 schtasks.exe 1980 schtasks.exe 2892 schtasks.exe 2112 schtasks.exe 1840 schtasks.exe File created C:\Windows\System32\wbem\mofd\24dbde2999530e fontreviewdriverRuntimeCrtwinSessionNet.exe 1040 schtasks.exe 1492 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2100 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2100 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Stealer.exe family_redline behavioral1/memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-14-0x0000000000400000-0x00000000009C1000-memory.dmp family_sectoprat C:\Users\Admin\AppData\Roaming\Stealer.exe family_sectoprat behavioral1/memory/1504-34-0x0000000000400000-0x00000000009C1000-memory.dmp family_sectoprat behavioral1/memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmp family_sectoprat -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe aspack_v212_v242 -
Executes dropped EXE 5 IoCs
Processes:
RXwVhS.exeStealer.exeRater.exefontreviewdriverRuntimeCrtwinSessionNet.exeservices.exepid process 2404 RXwVhS.exe 1784 Stealer.exe 2684 Rater.exe 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe 580 services.exe -
Loads dropped DLL 6 IoCs
Processes:
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.execmd.exepid process 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe 316 cmd.exe 316 cmd.exe -
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
fontreviewdriverRuntimeCrtwinSessionNet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stealer = "\"C:\\Program Files\\Uninstall Information\\Stealer.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mofd\\WmiPrvSE.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\certmgr\\lsm.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\appwiz\\services.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\qwinsta\\sppsvc.exe\"" fontreviewdriverRuntimeCrtwinSessionNet.exe -
Drops file in System32 directory 9 IoCs
Processes:
fontreviewdriverRuntimeCrtwinSessionNet.exedescription ioc process File created C:\Windows\System32\wbem\mofd\WmiPrvSE.exe fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\wbem\mofd\24dbde2999530e fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\certmgr\101b941d020240 fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\appwiz\services.exe fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\qwinsta\0a1fd5f707cd16 fontreviewdriverRuntimeCrtwinSessionNet.exe File opened for modification C:\Windows\System32\wbem\mofd\WmiPrvSE.exe fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\certmgr\lsm.exe fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\appwiz\c5b4cb5e9653cc fontreviewdriverRuntimeCrtwinSessionNet.exe File created C:\Windows\System32\qwinsta\sppsvc.exe fontreviewdriverRuntimeCrtwinSessionNet.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exepid process 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
RXwVhS.exefontreviewdriverRuntimeCrtwinSessionNet.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE RXwVhS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe RXwVhS.exe File created C:\Program Files\Uninstall Information\5f8a5db4ded16c fontreviewdriverRuntimeCrtwinSessionNet.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe RXwVhS.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE RXwVhS.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe RXwVhS.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe RXwVhS.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE RXwVhS.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe RXwVhS.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe RXwVhS.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE RXwVhS.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe RXwVhS.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe RXwVhS.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe RXwVhS.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe RXwVhS.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe RXwVhS.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE RXwVhS.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe RXwVhS.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\chrome_installer.exe RXwVhS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe RXwVhS.exe -
Drops file in Windows directory 1 IoCs
Processes:
fontreviewdriverRuntimeCrtwinSessionNet.exedescription ioc process File created C:\Windows\Boot\PCAT\fi-FI\spoolsv.exe fontreviewdriverRuntimeCrtwinSessionNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exeRXwVhS.exeStealer.exeRater.exeWScript.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RXwVhS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2248 schtasks.exe 1980 schtasks.exe 2892 schtasks.exe 2112 schtasks.exe 1040 schtasks.exe 1840 schtasks.exe 1492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fontreviewdriverRuntimeCrtwinSessionNet.exepid process 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Stealer.exefontreviewdriverRuntimeCrtwinSessionNet.exeservices.exedescription pid process Token: SeDebugPrivilege 1784 Stealer.exe Token: SeDebugPrivilege 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe Token: SeDebugPrivilege 580 services.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exepid process 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exeRater.exeWScript.exeRXwVhS.execmd.exefontreviewdriverRuntimeCrtwinSessionNet.exedescription pid process target process PID 1504 wrote to memory of 2404 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe RXwVhS.exe PID 1504 wrote to memory of 2404 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe RXwVhS.exe PID 1504 wrote to memory of 2404 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe RXwVhS.exe PID 1504 wrote to memory of 2404 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe RXwVhS.exe PID 1504 wrote to memory of 1784 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Stealer.exe PID 1504 wrote to memory of 1784 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Stealer.exe PID 1504 wrote to memory of 1784 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Stealer.exe PID 1504 wrote to memory of 1784 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Stealer.exe PID 1504 wrote to memory of 2684 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Rater.exe PID 1504 wrote to memory of 2684 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Rater.exe PID 1504 wrote to memory of 2684 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Rater.exe PID 1504 wrote to memory of 2684 1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe Rater.exe PID 2684 wrote to memory of 3056 2684 Rater.exe WScript.exe PID 2684 wrote to memory of 3056 2684 Rater.exe WScript.exe PID 2684 wrote to memory of 3056 2684 Rater.exe WScript.exe PID 2684 wrote to memory of 3056 2684 Rater.exe WScript.exe PID 3056 wrote to memory of 316 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 316 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 316 3056 WScript.exe cmd.exe PID 3056 wrote to memory of 316 3056 WScript.exe cmd.exe PID 2404 wrote to memory of 2396 2404 RXwVhS.exe cmd.exe PID 2404 wrote to memory of 2396 2404 RXwVhS.exe cmd.exe PID 2404 wrote to memory of 2396 2404 RXwVhS.exe cmd.exe PID 2404 wrote to memory of 2396 2404 RXwVhS.exe cmd.exe PID 316 wrote to memory of 1144 316 cmd.exe fontreviewdriverRuntimeCrtwinSessionNet.exe PID 316 wrote to memory of 1144 316 cmd.exe fontreviewdriverRuntimeCrtwinSessionNet.exe PID 316 wrote to memory of 1144 316 cmd.exe fontreviewdriverRuntimeCrtwinSessionNet.exe PID 316 wrote to memory of 1144 316 cmd.exe fontreviewdriverRuntimeCrtwinSessionNet.exe PID 1144 wrote to memory of 580 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe services.exe PID 1144 wrote to memory of 580 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe services.exe PID 1144 wrote to memory of 580 1144 fontreviewdriverRuntimeCrtwinSessionNet.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe"C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RXwVhS.exeC:\Users\Admin\AppData\Local\Temp\RXwVhS.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2fe15f16.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Stealer.exe"C:\Users\Admin\AppData\Roaming\Stealer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Rater.exe"C:\Users\Admin\AppData\Roaming\Rater.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fontreviewdriverRuntimeCrt\QZXIUNz.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe"C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe"5⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\appwiz\services.exe"C:\Windows\System32\appwiz\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mofd\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\certmgr\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\appwiz\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\qwinsta\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Stealer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Stealer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rarFilesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
C:\Users\Admin\AppData\Local\Temp\2fe15f16.batFilesize
187B
MD54f837a565c50d7ef750930be47f16ada
SHA163f8e5b9257493532e8056f00a42d0811bdf70c8
SHA256cef43ff2f16a36353af2266ea989057967935dd6f280ffe5752afd4e1bda8d31
SHA512deafeb951fb29840a8e5ab6822e099e0b26612831499f133533e67253016567f38042504ee65a55f6d95b1a6c8c884486d587cdd4c7651effe5578848fc2c1dc
-
C:\Users\Admin\AppData\Local\Temp\34C735A7.exeFilesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
C:\Users\Admin\AppData\Local\Temp\RXwVhS.exeFilesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3
-
C:\Users\Admin\AppData\Roaming\Rater.exeFilesize
1.5MB
MD5bcd17a8616855eb0c5a78f71fca10ba7
SHA1a5eca5659dee5e5349b437640500acd197d8079e
SHA2562fd0b5b2b36e993fb73c6788e7bd7a0e3d5576094c098cd7ae56fa0790668f3e
SHA51224e8521a5c757cbd06d6d3789fe04eea0ba7c97b70bc1ac0da7cc56350e1bc721f470544ff51865ae556c3dedfa662bb76c75fa03a22e467c1380fe7e4e3a834
-
C:\Users\Admin\AppData\Roaming\Stealer.exeFilesize
95KB
MD58cec900f08763b810c3e4133bc0dc834
SHA1c547853fc95d46b46bd16dcb8e9cc555eb9a20ab
SHA256abd30ac692e2bfb96036bdd9ed4b230418fe1e291c9cc57b2391992f38094592
SHA512e8dd2a87f46ac67daf8175f344006a0efd14b6e9f09d36deeb5738b5a41de0c6cd39db1f41a2c3812f6cae7b0e50df44c86f9fc25a373b02a92131f7e3183897
-
C:\fontreviewdriverRuntimeCrt\QZXIUNz.batFilesize
75B
MD5a4a6baa7c5632664c21cba413b8be602
SHA193f5b688cdd19ea0d6f0435fe290db46064b3a84
SHA2569b67a341b4e4bd174717ddc01e03016ddf57d04e31f9468ba262e3325021b013
SHA5129dd387acb8efec40199434de03d31b92bfc3e0ece6712819c3ecebe9bcad18597164cb8c56f1b28be48d156ee5620ac984f49c9f0ec901b259aedb3068814192
-
C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbeFilesize
210B
MD5dffd872be659b76b5e8d2998f40338d8
SHA1194fa1edcdf6dc8b589a95deb35a8ceb9055036e
SHA256a49a72b1e8cc6b7ab9b30d564c757064b11184f10d305c7b5f6e66f558a32e0e
SHA51233b7979274be7be149ce210a0e65938ec9ce30d5b5bd09f80d80dc3c62d09b174644898ecb06c763f71ab5ab09e299bba05e9f25a4f1792b1503c04187dfd7a7
-
\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exeFilesize
1.2MB
MD5e86e6dcddab6bf719197f12c99247b19
SHA17c9ad558e0484a57f2e4f81a9f91a34ca9d3926c
SHA256eaafe8afd63c54fb58e983191998713a9417e74066a6aa89c08790ef9e824daa
SHA5122e702d46610d7dc6f35097b1337d631aeab1d674d5aa120b70be68c54d1a984d2094ae0fd535cbfa161573b6fa9795650f4da6d8584d5ceef971606ffb27e9da
-
memory/580-113-0x0000000000390000-0x00000000003A2000-memory.dmpFilesize
72KB
-
memory/580-112-0x0000000000BA0000-0x0000000000CCE000-memory.dmpFilesize
1.2MB
-
memory/1144-91-0x0000000000410000-0x0000000000422000-memory.dmpFilesize
72KB
-
memory/1144-90-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1144-89-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB
-
memory/1144-88-0x00000000003E0000-0x00000000003FC000-memory.dmpFilesize
112KB
-
memory/1144-87-0x0000000000DD0000-0x0000000000EFE000-memory.dmpFilesize
1.2MB
-
memory/1504-8-0x0000000000400000-0x00000000009C1000-memory.dmpFilesize
5.8MB
-
memory/1504-14-0x0000000000400000-0x00000000009C1000-memory.dmpFilesize
5.8MB
-
memory/1504-10-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1504-12-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1504-34-0x0000000000400000-0x00000000009C1000-memory.dmpFilesize
5.8MB
-
memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmpFilesize
120KB
-
memory/2404-81-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/2404-11-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB