dcrat | caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
Size

3.2MB
MD5

b49ab1057d8a84fcfab28e98cfbf7330
SHA1

b5740a5eeef81280e7b7c9556487d3d5e21725f0
SHA256

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4
SHA512

d2ba08fee9f409d9b994fa66ac2db1b28f87590ced2461bde6f776bb0289fc2dbdea1ff725bdfca12dd4caadfc15560b2dc5a5fb60578dbe517e60de7d2d6149
SSDEEP

98304:+9ckJgZJBx32c8a3TiHPBeZRuyO7AqY3UkWcT:+mRDiHPBeZBOc

Score

10^/10

dcrat redline sectoprat mad aspackv2 discovery infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

MAD

185.189.14.66:4090

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exefontreviewdriverRuntimeCrtwinSessionNet.exeschtasks.exeschtasks.execaad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

pid	process
2248	schtasks.exe
1980	schtasks.exe
2892	schtasks.exe
2112	schtasks.exe
1840	schtasks.exe
File created	C:\Windows\System32\wbem\mofd\24dbde2999530e	fontreviewdriverRuntimeCrtwinSessionNet.exe
1040	schtasks.exe
1492	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2100	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Stealer.exe	family_redline
behavioral1/memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-14-0x0000000000400000-0x00000000009C1000-memory.dmp	family_sectoprat
C:\Users\Admin\AppData\Roaming\Stealer.exe	family_sectoprat
behavioral1/memory/1504-34-0x0000000000400000-0x00000000009C1000-memory.dmp	family_sectoprat
behavioral1/memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmp	family_sectoprat

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe	aspack_v212_v242

Executes dropped EXE 5 IoCs

Processes:

RXwVhS.exeStealer.exeRater.exefontreviewdriverRuntimeCrtwinSessionNet.exeservices.exe

pid process

2404 RXwVhS.exe
1784 Stealer.exe
2684 Rater.exe
1144 fontreviewdriverRuntimeCrtwinSessionNet.exe
580 services.exe

pid	process
2404	RXwVhS.exe
1784	Stealer.exe
2684	Rater.exe
1144	fontreviewdriverRuntimeCrtwinSessionNet.exe
580	services.exe

Loads dropped DLL 6 IoCs

Processes:

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.execmd.exe

pid	process
1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
316	cmd.exe
316	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fontreviewdriverRuntimeCrtwinSessionNet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stealer = "\"C:\\Program Files\\Uninstall Information\\Stealer.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mofd\\WmiPrvSE.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\certmgr\\lsm.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\appwiz\\services.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\qwinsta\\sppsvc.exe\""	fontreviewdriverRuntimeCrtwinSessionNet.exe

Drops file in System32 directory 9 IoCs

Processes:

fontreviewdriverRuntimeCrtwinSessionNet.exe

description	ioc	process
File created	C:\Windows\System32\wbem\mofd\WmiPrvSE.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\wbem\mofd\24dbde2999530e	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\certmgr\101b941d020240	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\appwiz\services.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\qwinsta\0a1fd5f707cd16	fontreviewdriverRuntimeCrtwinSessionNet.exe
File opened for modification	C:\Windows\System32\wbem\mofd\WmiPrvSE.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\certmgr\lsm.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\appwiz\c5b4cb5e9653cc	fontreviewdriverRuntimeCrtwinSessionNet.exe
File created	C:\Windows\System32\qwinsta\sppsvc.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

pid process

1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

Drops file in Program Files directory 64 IoCs

Processes:

RXwVhS.exefontreviewdriverRuntimeCrtwinSessionNet.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	RXwVhS.exe
File created	C:\Program Files\Uninstall Information\5f8a5db4ded16c	fontreviewdriverRuntimeCrtwinSessionNet.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	RXwVhS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	RXwVhS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	RXwVhS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	RXwVhS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	RXwVhS.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	RXwVhS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	RXwVhS.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\chrome_installer.exe	RXwVhS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	RXwVhS.exe

Drops file in Windows directory 1 IoCs

Processes:

fontreviewdriverRuntimeCrtwinSessionNet.exe

description ioc process

File created C:\Windows\Boot\PCAT\fi-FI\spoolsv.exe fontreviewdriverRuntimeCrtwinSessionNet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Boot\PCAT\fi-FI\spoolsv.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exeRXwVhS.exeStealer.exeRater.exeWScript.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RXwVhS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2248 schtasks.exe
1980 schtasks.exe
2892 schtasks.exe
2112 schtasks.exe
1040 schtasks.exe
1840 schtasks.exe
1492 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fontreviewdriverRuntimeCrtwinSessionNet.exe

pid process

1144 fontreviewdriverRuntimeCrtwinSessionNet.exe

pid	process
2248	schtasks.exe
1980	schtasks.exe
2892	schtasks.exe
2112	schtasks.exe
1040	schtasks.exe
1840	schtasks.exe
1492	schtasks.exe

pid	process
1144	fontreviewdriverRuntimeCrtwinSessionNet.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Stealer.exefontreviewdriverRuntimeCrtwinSessionNet.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1784	Stealer.exe
Token: SeDebugPrivilege	1144	fontreviewdriverRuntimeCrtwinSessionNet.exe
Token: SeDebugPrivilege	580	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

pid process

1504 caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exeRater.exeWScript.exeRXwVhS.execmd.exefontreviewdriverRuntimeCrtwinSessionNet.exe

description	pid	process	target process
PID 1504 wrote to memory of 2404	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	RXwVhS.exe
PID 1504 wrote to memory of 2404	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	RXwVhS.exe
PID 1504 wrote to memory of 2404	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	RXwVhS.exe
PID 1504 wrote to memory of 2404	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	RXwVhS.exe
PID 1504 wrote to memory of 1784	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Stealer.exe
PID 1504 wrote to memory of 1784	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Stealer.exe
PID 1504 wrote to memory of 1784	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Stealer.exe
PID 1504 wrote to memory of 1784	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Stealer.exe
PID 1504 wrote to memory of 2684	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Rater.exe
PID 1504 wrote to memory of 2684	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Rater.exe
PID 1504 wrote to memory of 2684	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Rater.exe
PID 1504 wrote to memory of 2684	1504	caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe	Rater.exe
PID 2684 wrote to memory of 3056	2684	Rater.exe	WScript.exe
PID 2684 wrote to memory of 3056	2684	Rater.exe	WScript.exe
PID 2684 wrote to memory of 3056	2684	Rater.exe	WScript.exe
PID 2684 wrote to memory of 3056	2684	Rater.exe	WScript.exe
PID 3056 wrote to memory of 316	3056	WScript.exe	cmd.exe
PID 3056 wrote to memory of 316	3056	WScript.exe	cmd.exe
PID 3056 wrote to memory of 316	3056	WScript.exe	cmd.exe
PID 3056 wrote to memory of 316	3056	WScript.exe	cmd.exe
PID 2404 wrote to memory of 2396	2404	RXwVhS.exe	cmd.exe
PID 2404 wrote to memory of 2396	2404	RXwVhS.exe	cmd.exe
PID 2404 wrote to memory of 2396	2404	RXwVhS.exe	cmd.exe
PID 2404 wrote to memory of 2396	2404	RXwVhS.exe	cmd.exe
PID 316 wrote to memory of 1144	316	cmd.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
PID 316 wrote to memory of 1144	316	cmd.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
PID 316 wrote to memory of 1144	316	cmd.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
PID 316 wrote to memory of 1144	316	cmd.exe	fontreviewdriverRuntimeCrtwinSessionNet.exe
PID 1144 wrote to memory of 580	1144	fontreviewdriverRuntimeCrtwinSessionNet.exe	services.exe
PID 1144 wrote to memory of 580	1144	fontreviewdriverRuntimeCrtwinSessionNet.exe	services.exe
PID 1144 wrote to memory of 580	1144	fontreviewdriverRuntimeCrtwinSessionNet.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe
"C:\Users\Admin\AppData\Local\Temp\caad395aeff17ecc47ae5b0989cc8c1338af1c6cd405af7af8cb3e9533be0ab4.exe"
1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2fe15f16.bat" "
3⤵
- System Location Discovery: System Language Discovery
PID:2396

C:\Users\Admin\AppData\Roaming\Stealer.exe
"C:\Users\Admin\AppData\Roaming\Stealer.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Roaming\Rater.exe
"C:\Users\Admin\AppData\Roaming\Rater.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\fontreviewdriverRuntimeCrt\QZXIUNz.bat" "
4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316

C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe
"C:\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe"
5⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\appwiz\services.exe
"C:\Windows\System32\appwiz\services.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mofd\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\certmgr\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\appwiz\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\qwinsta\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Stealer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Stealer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fe15f16.bat
Filesize
187B

MD5
4f837a565c50d7ef750930be47f16ada

SHA1
63f8e5b9257493532e8056f00a42d0811bdf70c8

SHA256
cef43ff2f16a36353af2266ea989057967935dd6f280ffe5752afd4e1bda8d31

SHA512
deafeb951fb29840a8e5ab6822e099e0b26612831499f133533e67253016567f38042504ee65a55f6d95b1a6c8c884486d587cdd4c7651effe5578848fc2c1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\34C735A7.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXwVhS.exe
Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Users\Admin\AppData\Roaming\Rater.exe
Filesize
1.5MB

MD5
bcd17a8616855eb0c5a78f71fca10ba7

SHA1
a5eca5659dee5e5349b437640500acd197d8079e

SHA256
2fd0b5b2b36e993fb73c6788e7bd7a0e3d5576094c098cd7ae56fa0790668f3e

SHA512
24e8521a5c757cbd06d6d3789fe04eea0ba7c97b70bc1ac0da7cc56350e1bc721f470544ff51865ae556c3dedfa662bb76c75fa03a22e467c1380fe7e4e3a834

Download Submit
C:\Users\Admin\AppData\Roaming\Stealer.exe
Filesize
95KB

MD5
8cec900f08763b810c3e4133bc0dc834

SHA1
c547853fc95d46b46bd16dcb8e9cc555eb9a20ab

SHA256
abd30ac692e2bfb96036bdd9ed4b230418fe1e291c9cc57b2391992f38094592

SHA512
e8dd2a87f46ac67daf8175f344006a0efd14b6e9f09d36deeb5738b5a41de0c6cd39db1f41a2c3812f6cae7b0e50df44c86f9fc25a373b02a92131f7e3183897

Download Submit
C:\fontreviewdriverRuntimeCrt\QZXIUNz.bat
Filesize
75B

MD5
a4a6baa7c5632664c21cba413b8be602

SHA1
93f5b688cdd19ea0d6f0435fe290db46064b3a84

SHA256
9b67a341b4e4bd174717ddc01e03016ddf57d04e31f9468ba262e3325021b013

SHA512
9dd387acb8efec40199434de03d31b92bfc3e0ece6712819c3ecebe9bcad18597164cb8c56f1b28be48d156ee5620ac984f49c9f0ec901b259aedb3068814192

Download Submit
C:\fontreviewdriverRuntimeCrt\aUIG46NqqfwTd5cOGgGlZ.vbe
Filesize
210B

MD5
dffd872be659b76b5e8d2998f40338d8

SHA1
194fa1edcdf6dc8b589a95deb35a8ceb9055036e

SHA256
a49a72b1e8cc6b7ab9b30d564c757064b11184f10d305c7b5f6e66f558a32e0e

SHA512
33b7979274be7be149ce210a0e65938ec9ce30d5b5bd09f80d80dc3c62d09b174644898ecb06c763f71ab5ab09e299bba05e9f25a4f1792b1503c04187dfd7a7

Download Submit
\fontreviewdriverRuntimeCrt\fontreviewdriverRuntimeCrtwinSessionNet.exe
Filesize
1.2MB

MD5
e86e6dcddab6bf719197f12c99247b19

SHA1
7c9ad558e0484a57f2e4f81a9f91a34ca9d3926c

SHA256
eaafe8afd63c54fb58e983191998713a9417e74066a6aa89c08790ef9e824daa

SHA512
2e702d46610d7dc6f35097b1337d631aeab1d674d5aa120b70be68c54d1a984d2094ae0fd535cbfa161573b6fa9795650f4da6d8584d5ceef971606ffb27e9da

Download Submit
memory/580-113-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/580-112-0x0000000000BA0000-0x0000000000CCE000-memory.dmp

Filesize
1.2MB

Download
memory/1144-91-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1144-90-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1144-89-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1144-88-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1144-87-0x0000000000DD0000-0x0000000000EFE000-memory.dmp

Filesize
1.2MB

Download
memory/1504-8-0x0000000000400000-0x00000000009C1000-memory.dmp

Filesize
5.8MB

Download
memory/1504-14-0x0000000000400000-0x00000000009C1000-memory.dmp

Filesize
5.8MB

Download
memory/1504-10-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1504-12-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1504-34-0x0000000000400000-0x00000000009C1000-memory.dmp

Filesize
5.8MB

Download
memory/1784-41-0x0000000001280000-0x000000000129E000-memory.dmp

Filesize
120KB

Download
memory/2404-81-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/2404-11-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download