225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478

General

Target

DCRatBuild.exe
Size

1.4MB
MD5

890b09aea29e89eaf80df95deefb73c3
SHA1

3c6b2b2e635542eaaf4aefd3e0af6a285aefab50
SHA256

225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478
SHA512

2a8388fda1533b06d377ed46457cf2f68919ac62cd0ef6ff79a88383a60c1ca0b27a7dc6b1fdcde09f5a7f5b5b7389f27a2f4e79c7c5d2f01f0c602f3cec5421
SSDEEP

24576:9TbBv5rUCB0nQ1c9yzgS5o/mNHJK7CXiUgRRAJtndHr5k+jp9TO7:XBOQ1Iy0MYRIfj+

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4632	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	4632	schtasks.exe	93

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x00070000000242fb-11.dat	net_reactor
behavioral2/memory/5596-13-0x0000000000740000-0x0000000000848000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	BlockFontdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
5596	BlockFontdhcp.exe
5280	SearchApp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ipinfo.io
61	ipinfo.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ebf1f9fa8afd6d	BlockFontdhcp.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\cmd.exe	BlockFontdhcp.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\cmd.exe	BlockFontdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	BlockFontdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1796	schtasks.exe
4288	schtasks.exe
3224	schtasks.exe
3580	schtasks.exe
4184	schtasks.exe
836	schtasks.exe
3696	schtasks.exe
3248	schtasks.exe
5944	schtasks.exe
1572	schtasks.exe
3196	schtasks.exe
3144	schtasks.exe
3996	schtasks.exe
1852	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5596	BlockFontdhcp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe
5280	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5596	BlockFontdhcp.exe
Token: SeDebugPrivilege	5280	SearchApp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1500	2488	DCRatBuild.exe	87
PID 2488 wrote to memory of 1500	2488	DCRatBuild.exe	87
PID 2488 wrote to memory of 1500	2488	DCRatBuild.exe	87
PID 1500 wrote to memory of 1348	1500	WScript.exe	105
PID 1500 wrote to memory of 1348	1500	WScript.exe	105
PID 1500 wrote to memory of 1348	1500	WScript.exe	105
PID 1348 wrote to memory of 5596	1348	cmd.exe	107
PID 1348 wrote to memory of 5596	1348	cmd.exe	107
PID 5596 wrote to memory of 8	5596	BlockFontdhcp.exe	123
PID 5596 wrote to memory of 8	5596	BlockFontdhcp.exe	123
PID 8 wrote to memory of 2888	8	cmd.exe	125
PID 8 wrote to memory of 2888	8	cmd.exe	125
PID 8 wrote to memory of 5280	8	cmd.exe	126
PID 8 wrote to memory of 5280	8	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe
      "C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcqcPPlKxE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2888
      - C:\7330c8a20692d0b35002ea5a\SearchApp.exe
        
        "C:\7330c8a20692d0b35002ea5a\SearchApp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BcqcPPlKxE.bat

Filesize
206B

MD5
bd4199768f9e3f443b81bb07fc41d410

SHA1
51153e8fb441b01cdea5565ec56e28f383868df9

SHA256
c1c3a9e24bc3664ff06d92385cb2db40036ab63ea84d332be91cea33161b48ff

SHA512
50cfa0508848aa283af58ee325432e45ec3a0b0a5c799f665cf313ac3b1a1d76266b9faf6f2055bb6f1b669146ea4e7f82df336ad287ad0d1120dc539682946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp

Filesize
564B

MD5
5bb950c6e84382764f219cc7f31d7f8f

SHA1
6ff110d4034b792ea7e06cc8154d56b98e3d357a

SHA256
617f5e06c216fef09a50612d5ad6ac2ff99c0fcacd1b70901154311b2f255f1f

SHA512
ee4b6c127d1f9f16647c5bff35188dca379043a08aa8ade22ec194446d592dde83a6e06965d50ca7d5202ddd011830e2c9d2c2f656f1482c62d2746c252a6649

Download Submit
C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe

Filesize
1.0MB

MD5
3f658d28250f84d99535f21b813ec7cb

SHA1
a9b2cc33893de0489eacee3387d0ce8e925852ac

SHA256
8c46f055a6dacf41bea4eaca78b4a3eab9e95ec322a1224592f2d49ba0d0ab52

SHA512
5e7031c27a6025fee74d63b4590432a662885c8f237d4446f487c851b9c1be03fc43311fd09af028762c64da488bff41d13386cfaf5db0ec741be2e3537ee866

Download Submit
C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat

Filesize
44B

MD5
db8867c0cc3be41674b6be7526a43ed0

SHA1
7633be3ae90e93f7f2db61814ba49604341bdfe3

SHA256
093e64e9e0ca0087984f60b67c531086646966361c6f3255fef2bb5c55d6dd8a

SHA512
bffb69ceab7517f863bf20849f51d967854da8863573869dc282d99f34680f411183977b56db4ac2351c0816fb535cbb628e0dad60fc4970ec3987b00c7493a7

Download Submit
C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe

Filesize
225B

MD5
531f115a8a6adab2a86a1af79fb53765

SHA1
084f53afdd7317f85a148610d68c2931cc9c0465

SHA256
73b48abb75373b9f1bb726491723a345fa63bcbdf65d7ae416dbf3301671409a

SHA512
1a82abf9d3cb84192a4f3f0880a09e0ba3eeed6c2a798476eb78fa9c43bfb6ea5f3f401784f31091707c1be18579d0ac76e3a5402ee92e9eda8c3dec524a3d60

Download Submit
memory/5596-13-0x0000000000740000-0x0000000000848000-memory.dmp

Filesize
1.0MB

Download
memory/5596-12-0x00007FFA43C53000-0x00007FFA43C55000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads