Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-e8nyjsvdmp
Target fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440
SHA256 fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440

Threat Level: Known bad

The file fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 04:36

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 04:36

Reported

2024-11-14 04:39

Platform

win7-20241010-en

Max time kernel

28s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB8CA.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB948.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\c2662095ba9aa8 C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A
N/A N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe

"C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440f" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440f" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E969IshFWt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe

"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe"

Network

Country Destination Domain Proto
SE 5.42.85.163:80 tcp
SE 5.42.85.163:80 tcp

Files

memory/2496-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

memory/2496-1-0x00000000000D0000-0x000000000025E000-memory.dmp

memory/2496-2-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

memory/2496-3-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/2496-4-0x0000000000600000-0x0000000000608000-memory.dmp

memory/2496-5-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2496-6-0x00000000020F0000-0x0000000002106000-memory.dmp

memory/2496-7-0x0000000001F50000-0x0000000001F60000-memory.dmp

memory/2496-8-0x0000000002200000-0x0000000002208000-memory.dmp

memory/2496-10-0x0000000002210000-0x0000000002218000-memory.dmp

memory/2496-11-0x0000000002220000-0x000000000222C000-memory.dmp

memory/2496-12-0x0000000002230000-0x000000000223E000-memory.dmp

memory/2496-13-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2496-14-0x0000000002250000-0x000000000225C000-memory.dmp

memory/2496-15-0x00000000022E0000-0x00000000022E8000-memory.dmp

memory/2496-16-0x000000001A770000-0x000000001A77A000-memory.dmp

memory/2496-17-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

memory/2496-20-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

memory/2496-25-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCXB1E2.tmp

MD5 3f46b4fc008b1267c97e905c89ca60bf
SHA1 05725fe5083fc1f15d61a052dc5d3bbab3e34742
SHA256 fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440
SHA512 d14ec2b39a4a3c906a3f3575a7e3667df33bcbc113eba0da98a906d94bab9f4ada71b79abfe01db28316035b1d87087518bcfd5bc45c094994b56a8efa603b9a

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB948.tmp

MD5 69abe05f0c575421d22713a125451907
SHA1 689e17a08e178e529237de4af4271ceee655fa97
SHA256 fb86df650a9a35807d8a07b83a9afb02017520dad007be481a64daa1aeceb4ab
SHA512 96e8bce6f2f9984a7f67554a3e4413e0145fcc658798eda5b31aed931af934a6b1e14f9cb4f0bb4044668f325b9892dac7ecd19c9ab0a1bd5c4b0262479c9acf

C:\Users\Admin\AppData\Local\Temp\E969IshFWt.bat

MD5 1bcb856942c3e75209755acfde382c2f
SHA1 1437812c2f8c97abc6a6278775fd86bbd1b9b3dd
SHA256 84c143a92241d5ec8f35d91a359325b924c13c78f5ee23b84e532f29037bd955
SHA512 53e510b19cfa638903436d732778faf2a285b7182d1be537be4675999e8f49f290ffc6c155efa26e5b7d80b21cab7f7b51194434cccb5f08124d63e436313fd5

memory/2496-84-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

memory/2436-87-0x0000000000BE0000-0x0000000000D6E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 04:36

Reported

2024-11-14 04:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCX1A5B.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCX1A6C.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Globalization\Time Zone\upfc.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Windows\IdentityCRL\production\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\Globalization\Time Zone\upfc.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\IdentityCRL\production\RCX1E95.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\IdentityCRL\production\RCX1E96.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Windows\Globalization\Time Zone\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File created C:\Windows\IdentityCRL\production\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\Globalization\Time Zone\RCX1C80.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\Globalization\Time Zone\RCX1C81.tmp C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
File opened for modification C:\Windows\IdentityCRL\production\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\sihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe

"C:\Users\Admin\AppData\Local\Temp\fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Time Zone\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\production\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Sun\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Sun\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Sun\dllhost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Mail\sihost.exe

"C:\Program Files (x86)\Windows Mail\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
SE 5.42.85.163:80 tcp
SE 5.42.85.163:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/5056-0-0x00007FFF30E43000-0x00007FFF30E45000-memory.dmp

memory/5056-1-0x00000000007F0000-0x000000000097E000-memory.dmp

memory/5056-2-0x00007FFF30E40000-0x00007FFF31901000-memory.dmp

memory/5056-3-0x000000001B470000-0x000000001B48C000-memory.dmp

memory/5056-6-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

memory/5056-5-0x000000001B490000-0x000000001B498000-memory.dmp

memory/5056-4-0x000000001BB30000-0x000000001BB80000-memory.dmp

memory/5056-7-0x000000001B4C0000-0x000000001B4D6000-memory.dmp

memory/5056-8-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

memory/5056-9-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

memory/5056-12-0x000000001B510000-0x000000001B51C000-memory.dmp

memory/5056-11-0x000000001B500000-0x000000001B508000-memory.dmp

memory/5056-14-0x000000001BC90000-0x000000001BC98000-memory.dmp

memory/5056-15-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

memory/5056-13-0x000000001BC80000-0x000000001BC8E000-memory.dmp

memory/5056-16-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

memory/5056-17-0x000000001BF00000-0x000000001BF0A000-memory.dmp

memory/5056-20-0x00007FFF30E40000-0x00007FFF31901000-memory.dmp

memory/5056-21-0x00007FFF30E40000-0x00007FFF31901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX174D.tmp

MD5 3f46b4fc008b1267c97e905c89ca60bf
SHA1 05725fe5083fc1f15d61a052dc5d3bbab3e34742
SHA256 fc509ede93c53963e746ce703748657aad8ec57542d722ff7f0d26c1eed2e440
SHA512 d14ec2b39a4a3c906a3f3575a7e3667df33bcbc113eba0da98a906d94bab9f4ada71b79abfe01db28316035b1d87087518bcfd5bc45c094994b56a8efa603b9a

memory/5056-141-0x00007FFF30E40000-0x00007FFF31901000-memory.dmp