Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe
Resource
win10v2004-20241007-en
General
-
Target
adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe
-
Size
1.9MB
-
MD5
f93786885d2a064e5bfaa873d5adce3a
-
SHA1
2f5607b932aca74701dd9aa0a581d7e6971df23f
-
SHA256
adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca
-
SHA512
61d28dc832fd3ec100841323e1cdb3da166c0673bfbb20ab2ccff25d0e90b407b05fe8f59eb0ce93c0fdf130aa2b12e0cc7ce2158b4b2a22f51d7701550782c9
-
SSDEEP
49152:HN54VMGOhLmPkO4koPyVu5eAEfgPwNqsrui:v0vEf8u5eAmFZ
Malware Config
Signatures
-
DcRat 16 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 4212 schtasks.exe 3128 schtasks.exe 468 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\mfc110deu\\sihost.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Fonts\\fontdrvhost.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 1612 schtasks.exe 5084 schtasks.exe 3132 schtasks.exe 4320 schtasks.exe 4588 schtasks.exe 1780 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 3476 schtasks.exe 5004 schtasks.exe 2620 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 4512 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 4512 schtasks.exe 84 -
resource yara_rule behavioral2/memory/4088-1-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/4088-2-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/4088-19-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/3636-22-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/3636-23-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/3636-47-0x0000000000C30000-0x000000000112A000-memory.dmp dcrat behavioral2/memory/2324-53-0x0000000000120000-0x000000000061A000-memory.dmp dcrat behavioral2/memory/2324-54-0x0000000000120000-0x000000000061A000-memory.dmp dcrat behavioral2/memory/2324-61-0x0000000000120000-0x000000000061A000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RuntimeBroker.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RuntimeBroker.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe -
Executes dropped EXE 1 IoCs
pid Process 2324 RuntimeBroker.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007091358_000_dotnet_runtime_8.0.2_win_x64.msi\\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DeviceDisplayStatusManager\\lsass.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Fonts\\fontdrvhost.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\runas\\RuntimeBroker.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Templates\\Idle.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\mfc110deu\\sihost.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\es-ES\\Licenses\\Volume\\dllhost.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources\\SearchApp.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Application Data\\RuntimeBroker.exe\"" adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\runas\RuntimeBroker.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\es-ES\Licenses\Volume\dllhost.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\DeviceDisplayStatusManager\lsass.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\mfc110deu\sihost.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\mfc110deu\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File opened for modification C:\Windows\SysWOW64\runas\RuntimeBroker.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\runas\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\es-ES\Licenses\Volume\5940a34987c99120d96dace90a3f93f329dcad63 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SysWOW64\DeviceDisplayStatusManager\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 2324 RuntimeBroker.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Fonts\fontdrvhost.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\Fonts\5b884080fd4f94e2695da25c503f9e33b9605b83 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\38384e6a620884a6b69bcc56f80d556f9200171c adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3128 schtasks.exe 4212 schtasks.exe 468 schtasks.exe 5004 schtasks.exe 1612 schtasks.exe 2620 schtasks.exe 5084 schtasks.exe 4320 schtasks.exe 4588 schtasks.exe 1780 schtasks.exe 3476 schtasks.exe 3132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 2324 RuntimeBroker.exe 2324 RuntimeBroker.exe 2324 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Token: SeDebugPrivilege 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe Token: SeDebugPrivilege 2324 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4088 wrote to memory of 3708 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 88 PID 4088 wrote to memory of 3708 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 88 PID 4088 wrote to memory of 3708 4088 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 88 PID 3708 wrote to memory of 1172 3708 cmd.exe 90 PID 3708 wrote to memory of 1172 3708 cmd.exe 90 PID 3708 wrote to memory of 1172 3708 cmd.exe 90 PID 1172 wrote to memory of 3056 1172 w32tm.exe 91 PID 1172 wrote to memory of 3056 1172 w32tm.exe 91 PID 3708 wrote to memory of 3636 3708 cmd.exe 94 PID 3708 wrote to memory of 3636 3708 cmd.exe 94 PID 3708 wrote to memory of 3636 3708 cmd.exe 94 PID 3636 wrote to memory of 3396 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 106 PID 3636 wrote to memory of 3396 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 106 PID 3636 wrote to memory of 3396 3636 adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe 106 PID 3396 wrote to memory of 5012 3396 cmd.exe 108 PID 3396 wrote to memory of 5012 3396 cmd.exe 108 PID 3396 wrote to memory of 5012 3396 cmd.exe 108 PID 5012 wrote to memory of 4544 5012 w32tm.exe 109 PID 5012 wrote to memory of 4544 5012 w32tm.exe 109 PID 3396 wrote to memory of 2324 3396 cmd.exe 110 PID 3396 wrote to memory of 2324 3396 cmd.exe 110 PID 3396 wrote to memory of 2324 3396 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"1⤵
- DcRat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkdtXEKxnY.bat"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"C:\Users\Admin\AppData\Local\Temp\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iai6fTbo2h.bat"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4544
-
-
-
C:\ProgramData\Application Data\RuntimeBroker.exe"C:\ProgramData\Application Data\RuntimeBroker.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\mfc110deu\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\runas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Templates\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\es-ES\Licenses\Volume\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007091358_000_dotnet_runtime_8.0.2_win_x64.msi\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\DeviceDisplayStatusManager\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5f93786885d2a064e5bfaa873d5adce3a
SHA12f5607b932aca74701dd9aa0a581d7e6971df23f
SHA256adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca
SHA51261d28dc832fd3ec100841323e1cdb3da166c0673bfbb20ab2ccff25d0e90b407b05fe8f59eb0ce93c0fdf130aa2b12e0cc7ce2158b4b2a22f51d7701550782c9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adebff4c705c3b2f33f51042bdba1094f29d33f24b456ddb1465be3f7f80b3ca.exe.log
Filesize1KB
MD5f5e93a467b0f78f860ff2ba798c5fd2c
SHA1462b6677af76647b0c08fe91d019cb29d364f616
SHA256fa2d2b185ce7cfa214b0c9a8b26c9d30ac325c924434f957c2f3e0bb74a749cf
SHA512b50b1a0aeff65a77574897654ace4a3b518e5f9192c74e516c84ff6796e52ad811c23caa1ac7d52449601a1004c9cc3a734c3a10a94d67750eb771ca0a7f2e25
-
Filesize
213B
MD56b8dd83abd170ff7a71ba11538c0d175
SHA142ff5f597050f1e50f9aca6702572529c315726c
SHA256b94e3fb331e9331648eb68b5f17480e6266dc975aa37a1d02fa9f8460e2663f0
SHA512b05091b6a6e9dd4d9912f52f54cb9b9ab02fa43585881c355c683f6f53bc433b246c8e77f7a707b00b76d391f7f47e90ebfce31e62f76b4f70418c3ac07e1298
-
Filesize
266B
MD53491b7b0108b8b19156ea3a5fec05d54
SHA1737e44393d66f5a13ad24808c91afbdfd41fae9f
SHA25697500084920302b17f04dd0dafd53c771f4feb5239b17a3848c70475ea4a968d
SHA5124b8886b371460bfd3dfb9748f5395b1c2b17f318595767acfbeb7178e97a66c1a4980dc4b3131e1c910b183f9822daf843c2287d0335b370fd1799105d6f9fbe