Malware Analysis Report

2025-08-10 14:27

Sample ID 241030-bq9whsvmhk
Target 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719
SHA256 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719
Tags
dcrat discovery infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719

Threat Level: Known bad

The file 84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719 was found to be: Known bad.

Malicious Activity Summary

dcrat discovery infostealer persistence rat spyware stealer

DcRat

Modifies WinLogon for persistence

Dcrat family

Process spawned unexpected child process

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 01:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 01:22

Reported

2024-10-30 01:25

Platform

win7-20240903-en

Max time kernel

119s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\", \"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\", \"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\", \"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\", \"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\", \"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" C:\Providerinto\webrefSession.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\AppPatch\\de-DE\\audiodg.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\cmd.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\lsass.exe\"" C:\Providerinto\webrefSession.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCFF2D0AEFFB704E71A430E9A86860D9B3.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\3kmwe8.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\cmd.exe C:\Providerinto\webrefSession.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\cmd.exe C:\Providerinto\webrefSession.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d C:\Providerinto\webrefSession.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppPatch\de-DE\42af1c969fbb7b C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_789060fcb62e86f2\wininit.exe C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\Fonts\dllhost.exe C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\Fonts\5940a34987c991 C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\AppPatch\de-DE\audiodg.exe C:\Providerinto\webrefSession.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Providerinto\webrefSession.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 2476 wrote to memory of 1036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 1036 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 1036 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 1036 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 2692 wrote to memory of 972 N/A C:\Providerinto\webrefSession.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 972 N/A C:\Providerinto\webrefSession.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2692 wrote to memory of 972 N/A C:\Providerinto\webrefSession.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 972 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 972 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 972 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2692 wrote to memory of 2304 N/A C:\Providerinto\webrefSession.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 2304 N/A C:\Providerinto\webrefSession.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 2304 N/A C:\Providerinto\webrefSession.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2304 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2304 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2304 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe
PID 2304 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe

"C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Providerinto\jxEdxGsN64kiOqEUGJ67IuxvNwoevsckopc9pvSU.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Providerinto\Bn5IdhR1tUpuTxK5hmOWWYzImaYN1V5cjqGFLj.bat" "

C:\Providerinto\webrefSession.exe

"C:\Providerinto/webrefSession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yex3oiac\yex3oiac.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES290.tmp" "c:\Windows\System32\CSCFF2D0AEFFB704E71A430E9A86860D9B3.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\de-DE\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 6 /tr "'C:\Providerinto\webrefSession.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSession" /sc ONLOGON /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 8 /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6xrkkiY6W.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Windows Portable Devices\cmd.exe

"C:\Program Files (x86)\Windows Portable Devices\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 427176cm.nyashkoon.in udp
FR 37.44.238.250:80 427176cm.nyashkoon.in tcp
FR 37.44.238.250:80 427176cm.nyashkoon.in tcp

Files

C:\Providerinto\jxEdxGsN64kiOqEUGJ67IuxvNwoevsckopc9pvSU.vbe

MD5 e9b28a6c1dcf0251811da0e9b23eaa4b
SHA1 9cee1ece8bf61d4088e604697b0ef0662e27dce3
SHA256 cfc6ef18996e238555dad4daa17f08ee502bc3e8f6a4c315939522b3944c54b0
SHA512 eba575e7ff8ddacf8f2dad24ef99dc448b4abccaad05904c1a7156a1a04f5df87c8997795858ca980f340f11e4be9236fe7ffdd5f858634a0cf9a118d66f760c

C:\Providerinto\Bn5IdhR1tUpuTxK5hmOWWYzImaYN1V5cjqGFLj.bat

MD5 53d8109386eeba065202d0cf2138f459
SHA1 d5972faee3997246c7ffa5c53e1c2d8cc2b3803a
SHA256 3e551e685fa443e19c1cef210062d7c4b960c9c5d538e692ac0eaeb47e09ee4f
SHA512 55a0633b1d9c9d1b30f9efb0acff436c2a591f55c2dcf56c67038794ed31e06cb384ab8e1a0969903956789279a7d9b28c20a5e51c837b0c3bf24aa33ed23313

\Providerinto\webrefSession.exe

MD5 aa47cc8dc99f5a7b574343c64bb23044
SHA1 047dbd74b8beaf914c5ca58ab53a6cae2e33e603
SHA256 27cc2a9fb4fce7185c7a3ff203e7bfe7133fa3f489aab93bf63534b1b2615b99
SHA512 7790eacbf8973d000e6e35210b165e7569446445c438a3761987d2fe90553218e5f999efe862ffeacd2d3065b6c4972cb045030b3f3ee0ce32772f532c34d628

memory/2692-13-0x0000000000D40000-0x0000000000F1C000-memory.dmp

memory/2692-15-0x0000000000310000-0x000000000031E000-memory.dmp

memory/2692-17-0x00000000004C0000-0x00000000004DC000-memory.dmp

memory/2692-19-0x00000000004E0000-0x00000000004F8000-memory.dmp

memory/2692-21-0x00000000004A0000-0x00000000004AE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\yex3oiac\yex3oiac.cmdline

MD5 b999b4aba5d61934ed663054ff9eb6ba
SHA1 13dac50ef4e690329a72da2c3312db32a5619fad
SHA256 7d33ef1d124c7d04464466dfe173e4a81c05f68bd9c06ca04c8b5468111f7b5d
SHA512 e4fd3646e72fe9cd51c876e9d11e9885fcd3459e6edbd99d12a7430f5d3cb7483512a244b7036695667718609df69fe2833bf6a659f7c6f0df21b4ba7148e088

\??\c:\Users\Admin\AppData\Local\Temp\yex3oiac\yex3oiac.0.cs

MD5 e3df5601863256a9b43e21371c366a20
SHA1 1ec3a12c2a14d4f736320c6e2a5be638bf156c3c
SHA256 80fcbf02d928fa0cfbe4fbdb0f3b260cefe98878a1069446b3a330bfd5c55745
SHA512 7bae45fbb5f1f1b581e0bec5adbc5ec5a425d0f1cf479bb33d883ca664c9bc12a6cf93b22064f09677ac826e2ba7e5acaf0befa5985e17a1209044d86e1e9736

\??\c:\Windows\System32\CSCFF2D0AEFFB704E71A430E9A86860D9B3.TMP

MD5 8c85ef91c6071d33745325a8fa351c3e
SHA1 e3311ceef28823eec99699cc35be27c94eca52d2
SHA256 8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41
SHA512 2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

C:\Users\Admin\AppData\Local\Temp\RES290.tmp

MD5 f9850e7d16eaa34c18e3b10ddc2a81a2
SHA1 9af49d7e279a8648dd57eccc149b0b9bce5ce823
SHA256 98d60d036f7ab1f9e0c1162dbefe5552d8447597cce710283a7602a412538ee8
SHA512 c42e12365c38e7e7d0d5d184042527c4c49146216d9d962441483e26978155e33d42153c9efccfded115a1c0d8d54a6aa0573b03a8fafebc42f1581642b908f4

C:\Users\Admin\AppData\Local\Temp\i6xrkkiY6W.bat

MD5 262a3f5408dbbc20b47837c0dcd1e29f
SHA1 4bbc27661934f8c458fa72f956b54c5a7a81c049
SHA256 fdc9cbede1c99b0022ce6f1579c5582d77d88447e6d9bce70c80a64e2be4f919
SHA512 b67c4e584ec1095d5aa3136f1aa5d470efa379313b4fd1c42c6a0309823bd4dd9e164dc864489ec9b484fe9b9556b9fab2dcc1a040b8b3bf60c45806c7c73eac

memory/1508-52-0x00000000010D0000-0x00000000012AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 01:22

Reported

2024-10-30 01:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Providerinto\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\twain_32\\wininit.exe\"" C:\Providerinto\webrefSession.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Providerinto\webrefSession.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\spoolsv.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\twain_32\\wininit.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\twain_32\\wininit.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webrefSession = "\"C:\\Providerinto\\webrefSession.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Providerinto\\RuntimeBroker.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Providerinto\\RuntimeBroker.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Providerinto\webrefSession.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Providerinto\webrefSession.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCCB5E4015BFA3471786199499D79B723D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\lhkpi-.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\f3b6ecef712a24 C:\Providerinto\webrefSession.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe C:\Providerinto\webrefSession.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\twain_32\wininit.exe C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\twain_32\56085415360792 C:\Providerinto\webrefSession.exe N/A
File created C:\Windows\CSC\Idle.exe C:\Providerinto\webrefSession.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Providerinto\webrefSession.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A
N/A N/A C:\Providerinto\webrefSession.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Providerinto\webrefSession.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 4704 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 4704 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe C:\Windows\SysWOW64\WScript.exe
PID 3980 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 2068 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerinto\webrefSession.exe
PID 1156 wrote to memory of 2508 N/A C:\Providerinto\webrefSession.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1156 wrote to memory of 2508 N/A C:\Providerinto\webrefSession.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2508 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2508 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1156 wrote to memory of 4804 N/A C:\Providerinto\webrefSession.exe C:\Windows\System32\cmd.exe
PID 1156 wrote to memory of 4804 N/A C:\Providerinto\webrefSession.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 4768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 4768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe
PID 4804 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe

"C:\Users\Admin\AppData\Local\Temp\84ffe1fe9ff878e3cf0a4f91a9a57964845dc96634fc11e95ee0ef8edb2ce719.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Providerinto\jxEdxGsN64kiOqEUGJ67IuxvNwoevsckopc9pvSU.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Providerinto\Bn5IdhR1tUpuTxK5hmOWWYzImaYN1V5cjqGFLj.bat" "

C:\Providerinto\webrefSession.exe

"C:\Providerinto/webrefSession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Providerinto\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Providerinto\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Providerinto\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ud3kigp\2ud3kigp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13B2.tmp" "c:\Windows\System32\CSCCB5E4015BFA3471786199499D79B723D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 13 /tr "'C:\Providerinto\webrefSession.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSession" /sc ONLOGON /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "webrefSessionw" /sc MINUTE /mo 14 /tr "'C:\Providerinto\webrefSession.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45MTYscXym.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe

"C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 427176cm.nyashkoon.in udp
FR 37.44.238.250:80 427176cm.nyashkoon.in tcp
FR 37.44.238.250:80 427176cm.nyashkoon.in tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Providerinto\jxEdxGsN64kiOqEUGJ67IuxvNwoevsckopc9pvSU.vbe

MD5 e9b28a6c1dcf0251811da0e9b23eaa4b
SHA1 9cee1ece8bf61d4088e604697b0ef0662e27dce3
SHA256 cfc6ef18996e238555dad4daa17f08ee502bc3e8f6a4c315939522b3944c54b0
SHA512 eba575e7ff8ddacf8f2dad24ef99dc448b4abccaad05904c1a7156a1a04f5df87c8997795858ca980f340f11e4be9236fe7ffdd5f858634a0cf9a118d66f760c

C:\Providerinto\Bn5IdhR1tUpuTxK5hmOWWYzImaYN1V5cjqGFLj.bat

MD5 53d8109386eeba065202d0cf2138f459
SHA1 d5972faee3997246c7ffa5c53e1c2d8cc2b3803a
SHA256 3e551e685fa443e19c1cef210062d7c4b960c9c5d538e692ac0eaeb47e09ee4f
SHA512 55a0633b1d9c9d1b30f9efb0acff436c2a591f55c2dcf56c67038794ed31e06cb384ab8e1a0969903956789279a7d9b28c20a5e51c837b0c3bf24aa33ed23313

C:\Providerinto\webrefSession.exe

MD5 aa47cc8dc99f5a7b574343c64bb23044
SHA1 047dbd74b8beaf914c5ca58ab53a6cae2e33e603
SHA256 27cc2a9fb4fce7185c7a3ff203e7bfe7133fa3f489aab93bf63534b1b2615b99
SHA512 7790eacbf8973d000e6e35210b165e7569446445c438a3761987d2fe90553218e5f999efe862ffeacd2d3065b6c4972cb045030b3f3ee0ce32772f532c34d628

memory/1156-12-0x00007FF9D35A3000-0x00007FF9D35A5000-memory.dmp

memory/1156-13-0x00000000005F0000-0x00000000007CC000-memory.dmp

memory/1156-15-0x0000000001230000-0x000000000123E000-memory.dmp

memory/1156-17-0x000000001B3F0000-0x000000001B40C000-memory.dmp

memory/1156-18-0x000000001C250000-0x000000001C2A0000-memory.dmp

memory/1156-20-0x000000001B410000-0x000000001B428000-memory.dmp

memory/1156-22-0x00000000029E0000-0x00000000029EE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2ud3kigp\2ud3kigp.cmdline

MD5 48a68d28b702d249d3169dccd3ce72a6
SHA1 e8c5a6977d8fd06fa681b8f699fdf66c36043135
SHA256 fadfa034c864623d3203273d38251dee19b8025c25bd504f2ee3ad6ddd23e0af
SHA512 7ffc056a3d38277a333f997116d2e0be6032746cdddcbaa00febd3eb01f1c55d4a8c6ac0eb022b3c44f6b799aae472eba4ccb9f2175548412cd01ce5ceed2228

\??\c:\Users\Admin\AppData\Local\Temp\2ud3kigp\2ud3kigp.0.cs

MD5 3b5f64ad501dd3e8fac40345b2f88ef9
SHA1 45c74bcb30ebeffd22f0cce22c301e533c0f4b89
SHA256 4952739a3861af03ab0cd986aab1e47be92e4ca351df43a98da67947f257e034
SHA512 cd4a2c04069e2a23b79d5e4cbc37c795b43594465d281573698fa1581c0f719fa7edc7a951ba4dacaa40f11f5de523efe6d6afc815c4685c8dbba2294f081981

\??\c:\Windows\System32\CSCCB5E4015BFA3471786199499D79B723D.TMP

MD5 75e32610d8ef6143201c7c28465fcda9
SHA1 b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA256 97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512 b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

C:\Users\Admin\AppData\Local\Temp\RES13B2.tmp

MD5 301ecc319ae1df11c01d3b6cb61e62f7
SHA1 86d3f56ef2c3a3d05a3b2294a39eaf5f25fb530d
SHA256 d7a1a43432f774d652e4c281f800d40acc3abf786fc4e760d96e1c6a85ab308f
SHA512 4113cbb3b2586ac48b6c47142dcb10a410328f8b7d6343f559fe0df86dfbf3a4975f40f744e4f5af106eca383005c99d0e467d55dfea70b7e6b1a81e9900a705

C:\Users\Admin\AppData\Local\Temp\45MTYscXym.bat

MD5 ab5212a0ce9dd61913bb5a87a04535d2
SHA1 cef8ab29b2d7c227111ae516123d54c9d2758d21
SHA256 9c6f4335bbf167e39de4e757df0e7e126b08aa173d49a5981f5f5e340a818993
SHA512 b94737e5dcd551467220254cb5c7dacc7a0d174e8b787b843eabb19e4da81a28aed5c6fb8d0d671434f022b004c2285ef0d58fabf77df8ec7bb4bc8c04edba0a

memory/4260-59-0x0000000002AC0000-0x0000000002AC8000-memory.dmp