dcrat | 66bc2046ade6ee7d8a37ed169de795ea3ed78ef5fadb2ae1311758eac97d360a

Analysis

max time kernel
121s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15/10/2022, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450feb62ffd1d5c1ffcefc8e173a29b4.exe
Size

2.6MB
MD5

450feb62ffd1d5c1ffcefc8e173a29b4
SHA1

6afcffc0832395c089d837dcf6b2ca0a74cbb9ff
SHA256

66bc2046ade6ee7d8a37ed169de795ea3ed78ef5fadb2ae1311758eac97d360a
SHA512

ea64595aee72ce0f214f2c44018301723c27d5d27492a282892f7d9f00ed9618ae358bdd1df976556b4836a1370b4db37cf8c58edd2f9a19b78ac14160d0f0cc
SSDEEP

49152:nbA3Rq0cOeGinYyV9fkymWXH3P/P4cKgQuKR330C8zOf+s:nbAcO+nbnkjW3f/QDB330PTs

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\BrokerNet\\System.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\BrokerNet\\System.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\winlogon.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\smss.exe\", \"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\smss.exe\""	chainreviewsaves.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1824	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000013494-65.dat	dcrat
behavioral1/files/0x0007000000013494-67.dat	dcrat
behavioral1/files/0x0007000000013494-64.dat	dcrat
behavioral1/files/0x0007000000013494-63.dat	dcrat
behavioral1/memory/1784-68-0x0000000000B60000-0x0000000000DB2000-memory.dmp	dcrat
behavioral1/files/0x0007000000013a03-77.dat	dcrat
behavioral1/files/0x0007000000013a03-78.dat	dcrat
behavioral1/memory/1332-79-0x0000000001180000-0x00000000013D2000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
1784	chainreviewsaves.exe
1332	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
952	cmd.exe
952	cmd.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\smss.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\winlogon.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\taskhost.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\Idle.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\DVD Maker\\es-ES\\sppsvc.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\BrokerNet\\System.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\BrokerNet\\System.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\smss.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Journal\\de-DE\\dwm.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	chainreviewsaves.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\winlogon.exe\""	chainreviewsaves.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\de-DE\6cb0b6c459d5d3	chainreviewsaves.exe
File created	C:\Program Files\DVD Maker\es-ES\sppsvc.exe	chainreviewsaves.exe
File created	C:\Program Files\DVD Maker\es-ES\0a1fd5f707cd16	chainreviewsaves.exe
File created	C:\Program Files (x86)\Windows Defender\smss.exe	chainreviewsaves.exe
File created	C:\Program Files (x86)\Windows Defender\69ddcba757bf72	chainreviewsaves.exe
File created	C:\Program Files\Windows Journal\de-DE\dwm.exe	chainreviewsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1988	schtasks.exe
1176	schtasks.exe
1144	schtasks.exe
1124	schtasks.exe
2040	schtasks.exe
1836	schtasks.exe
696	schtasks.exe
1612	schtasks.exe
1832	schtasks.exe
1036	schtasks.exe
388	schtasks.exe
328	schtasks.exe
1372	schtasks.exe
860	schtasks.exe
1532	schtasks.exe
1804	schtasks.exe
1492	schtasks.exe
1668	schtasks.exe
1012	schtasks.exe
2020	schtasks.exe
1376	schtasks.exe
1652	schtasks.exe
288	schtasks.exe
832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1784	chainreviewsaves.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe
1332	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	chainreviewsaves.exe
Token: SeDebugPrivilege	1332	smss.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1144	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	28
PID 1912 wrote to memory of 1144	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	28
PID 1912 wrote to memory of 1144	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	28
PID 1912 wrote to memory of 1144	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	28
PID 1912 wrote to memory of 1732	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	29
PID 1912 wrote to memory of 1732	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	29
PID 1912 wrote to memory of 1732	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	29
PID 1912 wrote to memory of 1732	1912	450feb62ffd1d5c1ffcefc8e173a29b4.exe	29
PID 1144 wrote to memory of 952	1144	WScript.exe	30
PID 1144 wrote to memory of 952	1144	WScript.exe	30
PID 1144 wrote to memory of 952	1144	WScript.exe	30
PID 1144 wrote to memory of 952	1144	WScript.exe	30
PID 952 wrote to memory of 1784	952	cmd.exe	32
PID 952 wrote to memory of 1784	952	cmd.exe	32
PID 952 wrote to memory of 1784	952	cmd.exe	32
PID 952 wrote to memory of 1784	952	cmd.exe	32
PID 1784 wrote to memory of 1332	1784	chainreviewsaves.exe	58
PID 1784 wrote to memory of 1332	1784	chainreviewsaves.exe	58
PID 1784 wrote to memory of 1332	1784	chainreviewsaves.exe	58

C:\Users\Admin\AppData\Local\Temp\450feb62ffd1d5c1ffcefc8e173a29b4.exe
"C:\Users\Admin\AppData\Local\Temp\450feb62ffd1d5c1ffcefc8e173a29b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrokerNet\s0cB3GCIP7j88eBcGSL85oFKfqb.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BrokerNet\Gh72ydd2wz.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\BrokerNet\chainreviewsaves.exe
      "C:\BrokerNet\chainreviewsaves.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Program Files (x86)\Windows Defender\smss.exe
        
        "C:\Program Files (x86)\Windows Defender\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrokerNet\file.vbs"
  2⤵
  PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\BrokerNet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BrokerNet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\BrokerNet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BrokerNet\Gh72ydd2wz.bat

Filesize
35B

MD5
18109232c5965c94f6d67f5ac81d6883

SHA1
16ae3b6e7e34c7289fa74807b238812463b93224

SHA256
5298cd47510ba622fd2a1728be0b8526d46e6b6a5322ed16fa7c5868332261c5

SHA512
4b6a73bb40e3e3473f28fc53302eb580b36b771d2440a51c8a656b56ec2b2c39d320b09621f7ed693423ae1e52a36b941898e70837842505f544cc1f6147242a

Download Submit
C:\BrokerNet\chainreviewsaves.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
C:\BrokerNet\chainreviewsaves.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
C:\BrokerNet\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BrokerNet\s0cB3GCIP7j88eBcGSL85oFKfqb.vbe

Filesize
196B

MD5
d7e45a789db8ed895ade6efa6bd54fe1

SHA1
cc3a0bc0e93b80c2e69ed1371e8bcc3fbaac6b1f

SHA256
2d5c41a32278b2e380ba71dc21888a9734bdae012d5e4af710ab961790e77ff2

SHA512
d8e179588c2ab9ff750c687dede1bb65328e5e12906404d6ef45c3f30761bc4f941446b26d548f4c3725085c3a49010df19f735d491a48f675f9312aa3846168

Download Submit
C:\Program Files (x86)\Windows Defender\smss.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
C:\Program Files (x86)\Windows Defender\smss.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
\BrokerNet\chainreviewsaves.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
\BrokerNet\chainreviewsaves.exe

Filesize
2.3MB

MD5
e20f37081674eaa511cfc8c6e0d60baa

SHA1
93ea1ed6db950450def39e2e2eeab20e4326e008

SHA256
ab550c9e53eada72d9853693afebaca370e0369bcd45fe9228e280844204b1a1

SHA512
3ac6c3836b23ae1b65a0c6dc2a403ca4504f3c4c2f85669fec624db0ee49411247d401751ef27852a0164d6bc297b88e4cf095453ce7fcd0ca04cefc55af2730

Download Submit
memory/1332-81-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1332-80-0x0000000000480000-0x00000000004D6000-memory.dmp

Filesize
344KB

Download
memory/1332-79-0x0000000001180000-0x00000000013D2000-memory.dmp

Filesize
2.3MB

Download
memory/1784-68-0x0000000000B60000-0x0000000000DB2000-memory.dmp

Filesize
2.3MB

Download
memory/1784-73-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/1784-74-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1784-75-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/1784-72-0x00000000005E0000-0x0000000000636000-memory.dmp

Filesize
344KB

Download
memory/1784-71-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/1784-70-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1784-69-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1912-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download