dcrat | a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e

Analysis

max time kernel
175s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-01-2023 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bcc3265d6d56e45dab526559699b422.exe
Size

2.9MB
MD5

0bcc3265d6d56e45dab526559699b422
SHA1

7d39ccb90dd9bbfed5821fc0f99412c35a0042c0
SHA256

a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e
SHA512

9c9eaaf4bacb3db059b60807647c6aedfd3f00953ab29c35a13780df506774d4b04b678c6f6c7c3ae4ed5f8e07db0be48e76eff23b1c6a26454be55a47fa7bd9
SSDEEP

49152:UbA30uDZpwmT1XvIwCsVM69SorvgQM/Fngf2z5op/SyPfvxgN+B3Ah8:UbatphI3sVBdrvgj/Fgf2z5op/dPnxq+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1704	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bridgeWebperf.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeWebperf.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\chainFont\bridgeWebperf.exe	dcrat
\chainFont\bridgeWebperf.exe	dcrat
\chainFont\bridgeWebperf.exe	dcrat
C:\chainFont\bridgeWebperf.exe	dcrat
behavioral1/memory/700-65-0x00000000011A0000-0x0000000001438000-memory.dmp	dcrat
C:\Users\All Users\Favorites\services.exe	dcrat
C:\Users\Public\Favorites\services.exe	dcrat
behavioral1/memory/2420-82-0x0000000000E00000-0x0000000001098000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

bridgeWebperf.exeservices.exe

pid process

700 bridgeWebperf.exe
2420 services.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1540 cmd.exe
1540 cmd.exe

pid	process
700	bridgeWebperf.exe
2420	services.exe

pid	process
1540	cmd.exe
1540	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exebridgeWebperf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe

Drops file in Program Files directory 11 IoCs

Processes:

bridgeWebperf.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\dwm.exe	bridgeWebperf.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\6cb0b6c459d5d3	bridgeWebperf.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\c5b4cb5e9653cc	bridgeWebperf.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\dwm.exe	bridgeWebperf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe	bridgeWebperf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\b75386f1303e64	bridgeWebperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	bridgeWebperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	bridgeWebperf.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\services.exe	bridgeWebperf.exe
File created	C:\Program Files\7-Zip\System.exe	bridgeWebperf.exe
File created	C:\Program Files\7-Zip\27d1bcfc3c54e0	bridgeWebperf.exe

Drops file in Windows directory 3 IoCs

Processes:

bridgeWebperf.exe

description	ioc	process
File created	C:\Windows\Setup\State\csrss.exe	bridgeWebperf.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	bridgeWebperf.exe
File created	C:\Windows\Speech\Common\es-ES\taskhost.exe	bridgeWebperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1896	schtasks.exe
1292	schtasks.exe
1612	schtasks.exe
1324	schtasks.exe
2088	schtasks.exe
2116	schtasks.exe
2264	schtasks.exe
2320	schtasks.exe
1756	schtasks.exe
580	schtasks.exe
2212	schtasks.exe
920	schtasks.exe
1904	schtasks.exe
1580	schtasks.exe
1588	schtasks.exe
1244	schtasks.exe
2292	schtasks.exe
1176	schtasks.exe
2040	schtasks.exe
1508	schtasks.exe
1984	schtasks.exe
576	schtasks.exe
1712	schtasks.exe
1648	schtasks.exe
1716	schtasks.exe
2196	schtasks.exe
1820	schtasks.exe
1688	schtasks.exe
1784	schtasks.exe
904	schtasks.exe
1768	schtasks.exe
1280	schtasks.exe
2064	schtasks.exe
972	schtasks.exe
1108	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bridgeWebperf.exeservices.exe

pid process

700 bridgeWebperf.exe
2420 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeWebperf.exeservices.exe

description pid process

Token: SeDebugPrivilege 700 bridgeWebperf.exe
Token: SeDebugPrivilege 2420 services.exe

pid	process
700	bridgeWebperf.exe
2420	services.exe

description	pid	process
Token: SeDebugPrivilege	700	bridgeWebperf.exe
Token: SeDebugPrivilege	2420	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0bcc3265d6d56e45dab526559699b422.exeWScript.execmd.exebridgeWebperf.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 1324	544	0bcc3265d6d56e45dab526559699b422.exe	WScript.exe
PID 544 wrote to memory of 1324	544	0bcc3265d6d56e45dab526559699b422.exe	WScript.exe
PID 544 wrote to memory of 1324	544	0bcc3265d6d56e45dab526559699b422.exe	WScript.exe
PID 544 wrote to memory of 1324	544	0bcc3265d6d56e45dab526559699b422.exe	WScript.exe
PID 1324 wrote to memory of 1540	1324	WScript.exe	cmd.exe
PID 1324 wrote to memory of 1540	1324	WScript.exe	cmd.exe
PID 1324 wrote to memory of 1540	1324	WScript.exe	cmd.exe
PID 1324 wrote to memory of 1540	1324	WScript.exe	cmd.exe
PID 1540 wrote to memory of 700	1540	cmd.exe	bridgeWebperf.exe
PID 1540 wrote to memory of 700	1540	cmd.exe	bridgeWebperf.exe
PID 1540 wrote to memory of 700	1540	cmd.exe	bridgeWebperf.exe
PID 1540 wrote to memory of 700	1540	cmd.exe	bridgeWebperf.exe
PID 700 wrote to memory of 2364	700	bridgeWebperf.exe	cmd.exe
PID 700 wrote to memory of 2364	700	bridgeWebperf.exe	cmd.exe
PID 700 wrote to memory of 2364	700	bridgeWebperf.exe	cmd.exe
PID 2364 wrote to memory of 2396	2364	cmd.exe	w32tm.exe
PID 2364 wrote to memory of 2396	2364	cmd.exe	w32tm.exe
PID 2364 wrote to memory of 2396	2364	cmd.exe	w32tm.exe
PID 2364 wrote to memory of 2420	2364	cmd.exe	services.exe
PID 2364 wrote to memory of 2420	2364	cmd.exe	services.exe
PID 2364 wrote to memory of 2420	2364	cmd.exe	services.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

bridgeWebperf.exeservices.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

C:\Users\Admin\AppData\Local\Temp\0bcc3265d6d56e45dab526559699b422.exe
"C:\Users\Admin\AppData\Local\Temp\0bcc3265d6d56e45dab526559699b422.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainFont\f6LEq510ArPb.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\chainFont\im4gEs99.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\chainFont\bridgeWebperf.exe
      "C:\chainFont\bridgeWebperf.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2T4bMTfqeZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2396
      - C:\Users\All Users\Favorites\services.exe
        
        "C:\Users\All Users\Favorites\services.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperfb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Contacts\bridgeWebperf.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperf" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\bridgeWebperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperfb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\bridgeWebperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2T4bMTfqeZ.bat

Filesize
206B

MD5
6c220d20dd83a358be8579bc27b970dc

SHA1
4c7f8708ac518fe00484d80173196323f3f5a28d

SHA256
7f97a8091ec6ef2264e92c244c275b3e912d2c2ee9f09c4e2be811327e55facf

SHA512
c06766c1eedebcec3acdc5be4f2d30ba2dad3c5151f57713d5f9495c306e61c043eacc1e9f9b44aa7d38a9b75534f21a11e148db30fa5c32f6f430cae8394329

Download Submit
C:\Users\All Users\Favorites\services.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\Users\Public\Favorites\services.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\bridgeWebperf.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\bridgeWebperf.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\f6LEq510ArPb.vbe

Filesize
194B

MD5
9b1731fd52f1093ce5d2646806bb0f67

SHA1
1829c42c07b61f794cd6aa78d97c362ff435397d

SHA256
0eff669ac70c9c276b1e7347ccc209c53a0a44051a9db21670bf77e84f8b06be

SHA512
97c71cf1b9250292e723789c1720b10efe9be0154c4ec991b6d04914a57ce0140c1b19c26494ddefe2d2cf5830df6f99fefc43faf92c559ebe309fda93fe348e

Download Submit
C:\chainFont\im4gEs99.bat

Filesize
32B

MD5
0973a68ef3bb6e60eb01ed64d6dd4225

SHA1
420169a5dcb306495fe4373fbbfbf6faabcdb898

SHA256
49185aed14e2e8245ed5626349c3b32af69c6ddd4849e32364d81d80f2d63a90

SHA512
707f1fa491dd1a91b4274630762bad3aeb0c0ad520d4fd71548a10e1af2369cd6aa7872251fee40802dcf60ce551a4176a815d22c227623ca09c4ea75b1f19be

Download Submit
\chainFont\bridgeWebperf.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
\chainFont\bridgeWebperf.exe

Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
memory/544-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/700-69-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/700-74-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/700-67-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/700-68-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/700-65-0x00000000011A0000-0x0000000001438000-memory.dmp

Filesize
2.6MB

Download
memory/700-70-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/700-71-0x0000000000C10000-0x0000000000C66000-memory.dmp

Filesize
344KB

Download
memory/700-72-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/700-73-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/700-66-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/700-75-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/700-63-0x0000000000000000-mapping.dmp

Download
memory/1324-55-0x0000000000000000-mapping.dmp

Download
memory/1540-59-0x0000000000000000-mapping.dmp

Download
memory/2364-76-0x0000000000000000-mapping.dmp

Download
memory/2396-78-0x0000000000000000-mapping.dmp

Download
memory/2420-80-0x0000000000000000-mapping.dmp

Download
memory/2420-82-0x0000000000E00000-0x0000000001098000-memory.dmp

Filesize
2.6MB

Download
memory/2420-83-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2420-84-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download