dcrat | 51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2022 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc9ea28a3c3659c4200e442d20198458.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3932	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	3932	schtasks.exe	27

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022e13-137.dat	dcrat
behavioral2/files/0x0006000000022e13-138.dat	dcrat
behavioral2/memory/2480-139-0x0000000000880000-0x0000000000A40000-memory.dmp	dcrat
behavioral2/files/0x0007000000022e1f-168.dat	dcrat
behavioral2/files/0x0007000000022e1f-167.dat	dcrat
behavioral2/memory/3368-171-0x0000000000A80000-0x0000000000C40000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Executes dropped EXE 2 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

pid	Process
2480	SurrogateDll.exe
3368	SurrogateDll.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SurrogateDll.exeSurrogateDll.exefc9ea28a3c3659c4200e442d20198458.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fc9ea28a3c3659c4200e442d20198458.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 5 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\defaults\dllhost.exe	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\defaults\5940a34987c991	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCX8EA5.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCX8F32.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\dllhost.exe	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
4964	schtasks.exe
4636	schtasks.exe
4548	schtasks.exe
3484	schtasks.exe
4476	schtasks.exe
3980	schtasks.exe
1160	schtasks.exe
3188	schtasks.exe
3748	schtasks.exe
1344	schtasks.exe
2072	schtasks.exe
4284	schtasks.exe
5068	schtasks.exe
4064	schtasks.exe
4164	schtasks.exe
4472	schtasks.exe
1652	schtasks.exe
4244	schtasks.exe

Modifies registry class 3 IoCs

Processes:

fc9ea28a3c3659c4200e442d20198458.exeSurrogateDll.exeSurrogateDll.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fc9ea28a3c3659c4200e442d20198458.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SurrogateDll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
1396	powershell.exe
1164	powershell.exe
3828	powershell.exe
3828	powershell.exe
2168	powershell.exe
2168	powershell.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe
3104	powershell.exe
3104	powershell.exe
3480	powershell.exe
3480	powershell.exe
4612	powershell.exe
4612	powershell.exe
1988	powershell.exe
1988	powershell.exe
3608	powershell.exe
3608	powershell.exe
2228	powershell.exe
2228	powershell.exe
1460	powershell.exe
1460	powershell.exe
928	powershell.exe
928	powershell.exe
2480	SurrogateDll.exe
2480	SurrogateDll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SurrogateDll.exe

pid	Process
3368	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSurrogateDll.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2480	SurrogateDll.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3368	SurrogateDll.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe
Token: SeAuditPrivilege	3404	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SurrogateDll.exe

pid	Process
3368	SurrogateDll.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

fc9ea28a3c3659c4200e442d20198458.exeWScript.execmd.exeSurrogateDll.exeSurrogateDll.exe

description	pid	Process	procid_target
PID 4984 wrote to memory of 4920	4984	fc9ea28a3c3659c4200e442d20198458.exe	80
PID 4984 wrote to memory of 4920	4984	fc9ea28a3c3659c4200e442d20198458.exe	80
PID 4984 wrote to memory of 4920	4984	fc9ea28a3c3659c4200e442d20198458.exe	80
PID 4920 wrote to memory of 544	4920	WScript.exe	81
PID 4920 wrote to memory of 544	4920	WScript.exe	81
PID 4920 wrote to memory of 544	4920	WScript.exe	81
PID 544 wrote to memory of 2480	544	cmd.exe	83
PID 544 wrote to memory of 2480	544	cmd.exe	83
PID 2480 wrote to memory of 2168	2480	SurrogateDll.exe	103
PID 2480 wrote to memory of 2168	2480	SurrogateDll.exe	103
PID 2480 wrote to memory of 1396	2480	SurrogateDll.exe	106
PID 2480 wrote to memory of 1396	2480	SurrogateDll.exe	106
PID 2480 wrote to memory of 1164	2480	SurrogateDll.exe	105
PID 2480 wrote to memory of 1164	2480	SurrogateDll.exe	105
PID 2480 wrote to memory of 3828	2480	SurrogateDll.exe	108
PID 2480 wrote to memory of 3828	2480	SurrogateDll.exe	108
PID 2480 wrote to memory of 3104	2480	SurrogateDll.exe	109
PID 2480 wrote to memory of 3104	2480	SurrogateDll.exe	109
PID 2480 wrote to memory of 3480	2480	SurrogateDll.exe	117
PID 2480 wrote to memory of 3480	2480	SurrogateDll.exe	117
PID 2480 wrote to memory of 4612	2480	SurrogateDll.exe	116
PID 2480 wrote to memory of 4612	2480	SurrogateDll.exe	116
PID 2480 wrote to memory of 1988	2480	SurrogateDll.exe	114
PID 2480 wrote to memory of 1988	2480	SurrogateDll.exe	114
PID 2480 wrote to memory of 2228	2480	SurrogateDll.exe	118
PID 2480 wrote to memory of 2228	2480	SurrogateDll.exe	118
PID 2480 wrote to memory of 3608	2480	SurrogateDll.exe	120
PID 2480 wrote to memory of 3608	2480	SurrogateDll.exe	120
PID 2480 wrote to memory of 928	2480	SurrogateDll.exe	123
PID 2480 wrote to memory of 928	2480	SurrogateDll.exe	123
PID 2480 wrote to memory of 1460	2480	SurrogateDll.exe	122
PID 2480 wrote to memory of 1460	2480	SurrogateDll.exe	122
PID 2480 wrote to memory of 4928	2480	SurrogateDll.exe	125
PID 2480 wrote to memory of 4928	2480	SurrogateDll.exe	125
PID 2480 wrote to memory of 3368	2480	SurrogateDll.exe	129
PID 2480 wrote to memory of 3368	2480	SurrogateDll.exe	129
PID 3368 wrote to memory of 1252	3368	SurrogateDll.exe	134
PID 3368 wrote to memory of 1252	3368	SurrogateDll.exe	134
PID 3368 wrote to memory of 964	3368	SurrogateDll.exe	135
PID 3368 wrote to memory of 964	3368	SurrogateDll.exe	135

C:\Users\Admin\AppData\Local\Temp\fc9ea28a3c3659c4200e442d20198458.exe
"C:\Users\Admin\AppData\Local\Temp\fc9ea28a3c3659c4200e442d20198458.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Users\Admin\NetHood\SurrogateDll.exe
        
        "C:\Users\Admin\NetHood\SurrogateDll.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b9724b7-ea36-41c7-83dc-ca95d71f8435.vbs"
        6⤵
        
        PID:1252
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f39a5cf-7db0-463f-8abe-847fa8e71ef5.vbs"
        6⤵
        
        PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\SurrogateDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDll" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogateDll.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f39a5cf-7db0-463f-8abe-847fa8e71ef5.vbs

Filesize
491B

MD5
b5b5e0c0d04e97645069eb93913521ec

SHA1
81786a324935762afa1bc4e2bdaf3e9f09d1e2f4

SHA256
6c610eb9b03d2c52235dd0a312a5a9396777ad0fdd401bbf455a923a8ef7d509

SHA512
bdc8235e18555dc735459a7fe2267e520911d121fe42594d9211fd5945e8611f0537e084edd27801e62ca8e2f2a84d5ce40e6eef6f83beb4a7d75ef6d6f71af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b9724b7-ea36-41c7-83dc-ca95d71f8435.vbs

Filesize
715B

MD5
739e7d53317397b793269acd9463cf77

SHA1
f3fe19cb7b9ebb78d756372199de7701e226315a

SHA256
fe2d418b477314dabe1425431f8f149081a359c42f5b7c120bfd72fe4b0a3b43

SHA512
cd47594d41b217d4090736ea0cf5121f3e54d50b7ed9ea0cfb796e2349e603bcdab3db5f12eab2b320bb303a92c11212af5e18a4e920fbb1030595d62f9a7196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\SurrogateDll.exe

Filesize
1.7MB

MD5
45750a1f2a50285b86d82b35bcc7f2ad

SHA1
5d3bbafa1dcdeefa61a359b8fe0e8baea4314db6

SHA256
79975f7842d284fe27093d805c47a929982a71078f5a59b923cb6a022885029c

SHA512
ce272edf5c53af4aca31b72d2de19d7d58441c70fa941d1578d3b35cd6d987372219cb4d85d6044647f7b9b7af6685f06574e97d6e5c81b042d8570b7a9e0606

Download Submit
C:\Users\Admin\NetHood\SurrogateDll.exe

Filesize
1.7MB

MD5
45750a1f2a50285b86d82b35bcc7f2ad

SHA1
5d3bbafa1dcdeefa61a359b8fe0e8baea4314db6

SHA256
79975f7842d284fe27093d805c47a929982a71078f5a59b923cb6a022885029c

SHA512
ce272edf5c53af4aca31b72d2de19d7d58441c70fa941d1578d3b35cd6d987372219cb4d85d6044647f7b9b7af6685f06574e97d6e5c81b042d8570b7a9e0606

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
memory/544-135-0x0000000000000000-mapping.dmp

Download
memory/928-205-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/928-177-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/928-156-0x0000000000000000-mapping.dmp

Download
memory/964-209-0x0000000000000000-mapping.dmp

Download
memory/1164-188-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-148-0x0000000000000000-mapping.dmp

Download
memory/1164-162-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1252-208-0x0000000000000000-mapping.dmp

Download
memory/1396-161-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-159-0x000001FD77A50000-0x000001FD77A72000-memory.dmp

Filesize
136KB

Download
memory/1396-180-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-147-0x0000000000000000-mapping.dmp

Download
memory/1460-157-0x0000000000000000-mapping.dmp

Download
memory/1460-200-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-178-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-153-0x0000000000000000-mapping.dmp

Download
memory/1988-201-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-174-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2168-146-0x0000000000000000-mapping.dmp

Download
memory/2168-192-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2168-160-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-154-0x0000000000000000-mapping.dmp

Download
memory/2228-204-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-175-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-142-0x000000001CCA0000-0x000000001D1C8000-memory.dmp

Filesize
5.2MB

Download
memory/2480-173-0x000000001D517000-0x000000001D51C000-memory.dmp

Filesize
20KB

Download
memory/2480-139-0x0000000000880000-0x0000000000A40000-memory.dmp

Filesize
1.8MB

Download
memory/2480-140-0x000000001B560000-0x000000001B5B0000-memory.dmp

Filesize
320KB

Download
memory/2480-172-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-141-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-143-0x000000001B509000-0x000000001B50F000-memory.dmp

Filesize
24KB

Download
memory/2480-144-0x000000001D510000-0x000000001D514000-memory.dmp

Filesize
16KB

Download
memory/2480-136-0x0000000000000000-mapping.dmp

Download
memory/2480-145-0x000000001D514000-0x000000001D517000-memory.dmp

Filesize
12KB

Download
memory/3104-193-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-164-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-150-0x0000000000000000-mapping.dmp

Download
memory/3368-207-0x0000000001269000-0x000000000126F000-memory.dmp

Filesize
24KB

Download
memory/3368-165-0x0000000000000000-mapping.dmp

Download
memory/3368-219-0x000000001DB67000-0x000000001DB6A000-memory.dmp

Filesize
12KB

Download
memory/3368-212-0x000000001DB60000-0x000000001DB64000-memory.dmp

Filesize
16KB

Download
memory/3368-218-0x000000001DB67000-0x000000001DB6A000-memory.dmp

Filesize
12KB

Download
memory/3368-214-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3368-213-0x000000001DB64000-0x000000001DB67000-memory.dmp

Filesize
12KB

Download
memory/3368-217-0x000000001DB64000-0x000000001DB67000-memory.dmp

Filesize
12KB

Download
memory/3368-215-0x0000000001269000-0x000000000126F000-memory.dmp

Filesize
24KB

Download
memory/3368-171-0x0000000000A80000-0x0000000000C40000-memory.dmp

Filesize
1.8MB

Download
memory/3368-195-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3368-216-0x000000001DB60000-0x000000001DB64000-memory.dmp

Filesize
16KB

Download
memory/3480-151-0x0000000000000000-mapping.dmp

Download
memory/3480-191-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-166-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-176-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-196-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-155-0x0000000000000000-mapping.dmp

Download
memory/3828-163-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3828-189-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/3828-149-0x0000000000000000-mapping.dmp

Download
memory/4612-194-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-170-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-152-0x0000000000000000-mapping.dmp

Download
memory/4920-132-0x0000000000000000-mapping.dmp

Download
memory/4928-179-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-206-0x00007FFEE8600000-0x00007FFEE90C1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-158-0x0000000000000000-mapping.dmp

Download