dcrat | 98a6de25f542afaee3621feaf905566e3a5f60c99c5e1c051de2046cd803fb06

Analysis

max time kernel
133s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f0462af330f984e6bf4f78ca0fd568.exe
Size

4.9MB
MD5

13f0462af330f984e6bf4f78ca0fd568
SHA1

d4cade4a691d79c8edb40a02036dda11190e4795
SHA256

98a6de25f542afaee3621feaf905566e3a5f60c99c5e1c051de2046cd803fb06
SHA512

f04865953da22dd552373cb1a6e027ed2adbe87ad8f3fdbf59145d70fbc6de1310451824f45cc613400b14a4fe333ffe8cb8bdf65407badbcc4a9b76769a8ea8
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	580	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f0462af330f984e6bf4f78ca0fd568.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	13f0462af330f984e6bf4f78ca0fd568.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	13f0462af330f984e6bf4f78ca0fd568.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1444-55-0x000000001B230000-0x000000001B35E000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13f0462af330f984e6bf4f78ca0fd568.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f0462af330f984e6bf4f78ca0fd568.exe

Drops file in Program Files directory 20 IoCs

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC650.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX135.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\6ccacd8608530f	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\wininit.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXCECA.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\56085415360792	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXBDC7.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\wininit.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXE807.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe	13f0462af330f984e6bf4f78ca0fd568.exe

Drops file in Windows directory 4 IoCs

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	ioc	process
File opened for modification	C:\Windows\security\database\wininit.exe	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Windows\security\database\56085415360792	13f0462af330f984e6bf4f78ca0fd568.exe
File opened for modification	C:\Windows\security\database\RCXB4C2.tmp	13f0462af330f984e6bf4f78ca0fd568.exe
File created	C:\Windows\security\database\wininit.exe	13f0462af330f984e6bf4f78ca0fd568.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1524	schtasks.exe
1980	schtasks.exe
1860	schtasks.exe
1668	schtasks.exe
1772	schtasks.exe
1632	schtasks.exe
1172	schtasks.exe
1212	schtasks.exe
2000	schtasks.exe
436	schtasks.exe
1012	schtasks.exe
1284	schtasks.exe
1852	schtasks.exe
1420	schtasks.exe
1340	schtasks.exe
1496	schtasks.exe
596	schtasks.exe
1660	schtasks.exe
1572	schtasks.exe
1228	schtasks.exe
840	schtasks.exe
1968	schtasks.exe
1936	schtasks.exe
956	schtasks.exe
1032	schtasks.exe
972	schtasks.exe
1324	schtasks.exe
2008	schtasks.exe
108	schtasks.exe
820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

pid process

1444 13f0462af330f984e6bf4f78ca0fd568.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description pid process

Token: SeDebugPrivilege 1444 13f0462af330f984e6bf4f78ca0fd568.exe

pid	process
1444	13f0462af330f984e6bf4f78ca0fd568.exe

description	pid	process
Token: SeDebugPrivilege	1444	13f0462af330f984e6bf4f78ca0fd568.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	pid	process	target process
PID 1444 wrote to memory of 1228	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1228	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1228	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1860	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1860	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1860	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1580	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1580	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1580	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1660	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1660	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1660	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1428	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1428	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1428	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1020	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1020	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1020	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1560	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1560	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1560	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1480	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1480	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1480	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1624	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1624	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1624	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1572	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1572	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1572	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 820	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 820	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 820	1444	13f0462af330f984e6bf4f78ca0fd568.exe	powershell.exe
PID 1444 wrote to memory of 1664	1444	13f0462af330f984e6bf4f78ca0fd568.exe	cmd.exe
PID 1444 wrote to memory of 1664	1444	13f0462af330f984e6bf4f78ca0fd568.exe	cmd.exe
PID 1444 wrote to memory of 1664	1444	13f0462af330f984e6bf4f78ca0fd568.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

13f0462af330f984e6bf4f78ca0fd568.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f0462af330f984e6bf4f78ca0fd568.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	13f0462af330f984e6bf4f78ca0fd568.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	13f0462af330f984e6bf4f78ca0fd568.exe

C:\Users\Admin\AppData\Local\Temp\13f0462af330f984e6bf4f78ca0fd568.exe
"C:\Users\Admin\AppData\Local\Temp\13f0462af330f984e6bf4f78ca0fd568.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
PID:1020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l07988a5Ko.bat"
2⤵
PID:1664

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2060

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe"
3⤵
PID:2200

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603759d4-496d-4670-8dd0-c2b28242ef44.vbs"
4⤵
PID:2640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66407891-ac1b-495f-9125-47b464c0c65c.vbs"
4⤵
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\security\database\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
Filesize
4.9MB

MD5
13a535135482033ea7c7627764c084db

SHA1
fd489e52a11beb00dc031a67a2aaa62c3d80ab2b

SHA256
13e709b091f80a43d71482540099763a868dfd0b117fb2417d9b5f056f999507

SHA512
17eefaad3c66d0a088c7c82539b9f658b6accf2d20ec12023860a2468a1ddae71306a15fd04e35a4c52b96acde07962ea982b057c89ff40eb95cd2334e145898

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe
Filesize
4.9MB

MD5
13a535135482033ea7c7627764c084db

SHA1
fd489e52a11beb00dc031a67a2aaa62c3d80ab2b

SHA256
13e709b091f80a43d71482540099763a868dfd0b117fb2417d9b5f056f999507

SHA512
17eefaad3c66d0a088c7c82539b9f658b6accf2d20ec12023860a2468a1ddae71306a15fd04e35a4c52b96acde07962ea982b057c89ff40eb95cd2334e145898

Download Submit
C:\Users\Admin\AppData\Local\Temp\603759d4-496d-4670-8dd0-c2b28242ef44.vbs
Filesize
747B

MD5
6ab6f7c4643a81143aceeb38a0de81cf

SHA1
5f0f08620d7a8597daf3d6b59709bc1a53e14305

SHA256
ccdc257be2b936a18f12f14dd98367d58d019959055d43c48bdabc32136ad438

SHA512
120413b662c9386e2cdd62694a83a298c6b98d0cb28589e23cbc0df2353c921d80635121190cc179d4152508aa6a2bb8174674cc308794baa5873d364e0d9b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\66407891-ac1b-495f-9125-47b464c0c65c.vbs
Filesize
523B

MD5
108e8475b08ee2fe4fb64024bc6a24b2

SHA1
2a2b4d27ba43465a0845d6a0f1226c9f1db06a11

SHA256
05b25c7c15dbeaf0ba31ba5637ae313404698a77f7832c737d4d9c37c34439ab

SHA512
edd670c6a926d896240fd9e0625be3e3d09ad0483baa90675f72c51256fe7d7322114695dfe3d394c87c771507f97aa5ce2aaa932a4379abe59e6fccc28dcfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l07988a5Ko.bat
Filesize
236B

MD5
7bdf79521d2325576be59e0349fbee6e

SHA1
52cea9b8a88b864457083b88b25ff6e2e16b7d9b

SHA256
ae8f5889d5258e6a61f94dd6754b3beb89bf788c94c09be63be1147c1b60a49d

SHA512
0fde9b69617f2621223b2f378476a898f66a5071ab250508a84335cf916722a70d17a064fc062b346bcc7fd99aa178f0261547bfe06485499f1f9e83f90c4c28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
87191e84592b710220028c33a30800c5

SHA1
539f564d5fee412abbacf4b68907b8e392bc9981

SHA256
12c96c3fd691b794c9dbdb4be97d4617f206368608aea1be7b37b7511012345f

SHA512
8fefcd386e0d4ae35b5a3f1ee56c8fcd4841cea534db50cf775338844d5f7ec35085daaeeb2dbff10de5f0685439885b995e18a3d22764b96ca1bc01feb3c945

Download Submit
memory/820-115-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/820-81-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/820-80-0x0000000000000000-mapping.dmp

Download
memory/820-98-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1020-128-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1020-75-0x0000000000000000-mapping.dmp

Download
memory/1020-121-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1228-69-0x0000000000000000-mapping.dmp

Download
memory/1228-97-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1228-118-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1428-119-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1428-123-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1428-73-0x0000000000000000-mapping.dmp

Download
memory/1444-67-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1444-59-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/1444-55-0x000000001B230000-0x000000001B35E000-memory.dmp

Filesize
1.2MB

Download
memory/1444-56-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1444-57-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1444-58-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/1444-60-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1444-54-0x0000000000E70000-0x0000000001364000-memory.dmp

Filesize
5.0MB

Download
memory/1444-68-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/1444-66-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1444-65-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/1444-64-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/1444-61-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1444-62-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1444-63-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1480-77-0x0000000000000000-mapping.dmp

Download
memory/1560-126-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1560-132-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1560-76-0x0000000000000000-mapping.dmp

Download
memory/1572-129-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1572-79-0x0000000000000000-mapping.dmp

Download
memory/1572-120-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1580-133-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1580-127-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1580-71-0x0000000000000000-mapping.dmp

Download
memory/1624-130-0x0000000001DD4000-0x0000000001DD7000-memory.dmp

Filesize
12KB

Download
memory/1624-78-0x0000000000000000-mapping.dmp

Download
memory/1624-124-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1660-122-0x0000000002024000-0x0000000002027000-memory.dmp

Filesize
12KB

Download
memory/1660-117-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1664-83-0x0000000000000000-mapping.dmp

Download
memory/1860-116-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/1860-95-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/1860-70-0x0000000000000000-mapping.dmp

Download
memory/2008-131-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2008-125-0x000007FEEA9C0000-0x000007FEEB3E3000-memory.dmp

Filesize
10.1MB

Download
memory/2008-74-0x0000000000000000-mapping.dmp

Download
memory/2060-101-0x0000000000000000-mapping.dmp

Download
memory/2200-111-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2200-108-0x0000000000000000-mapping.dmp

Download
memory/2640-135-0x0000000000000000-mapping.dmp

Download
memory/2664-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads