dcrat | bfe4b2b5b1b9c2e8253848be27b277f1daf99314ff0ac964dc595bdef841a6c3

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ou6mS40OHrkbwQiM7ccaR.exe
Size

2.4MB
MD5

4ceeb0d068653ada01e702ba61dfdb7f
SHA1

0e09a416c381e657f39af975f259d09da0324300
SHA256

bfe4b2b5b1b9c2e8253848be27b277f1daf99314ff0ac964dc595bdef841a6c3
SHA512

798904e3ef1ef5f898185577c2dc15dd8872f4e70f638f8f94f90846ac11eecbad72d843406512863d58a882df8ad40c02ad2d9daa6289f3c46fff724f5f1b73
SSDEEP

24576:1RNpngHRc5DYZYLUsZ9p48N41XMFBDeQzC/tqELdO0U7TBd1X/SQOvjASm:PPDvx94V0eQuPdmJdV/J

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	936	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

csrss.execsrss.exeOu6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/840-54-0x0000000001350000-0x00000000015BA000-memory.dmp	dcrat
C:\Windows\Fonts\csrss.exe	dcrat
C:\Windows\Fonts\csrss.exe	dcrat
behavioral1/memory/1188-108-0x00000000002F0000-0x000000000055A000-memory.dmp	dcrat
C:\Windows\Fonts\csrss.exe	dcrat
behavioral1/memory/1568-141-0x00000000000B0000-0x000000000031A000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\055c36409d87a5242b93633aadd0b517755bd2cc.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

1188 csrss.exe
1568 csrss.exe

pid	process
1188	csrss.exe
1568	csrss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.exeOu6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe

Drops file in Program Files directory 4 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\cbc753843df817	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCX1834.tmp	Ou6mS40OHrkbwQiM7ccaR.exe

Drops file in Windows directory 5 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\RCX2D3D.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\rescache\rc0002\wininit.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\Fonts\csrss.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\Fonts\886983d96e3d3e	Ou6mS40OHrkbwQiM7ccaR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
624	schtasks.exe
996	schtasks.exe
1372	schtasks.exe
960	schtasks.exe
1908	schtasks.exe
1332	schtasks.exe
1560	schtasks.exe
1128	schtasks.exe
1916	schtasks.exe
1972	schtasks.exe
1736	schtasks.exe
1100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
840	Ou6mS40OHrkbwQiM7ccaR.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1688	powershell.exe
1600	powershell.exe
1392	powershell.exe
1188	csrss.exe
968	powershell.exe
1960	powershell.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe
1188	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	840	Ou6mS40OHrkbwQiM7ccaR.exe
Token: SeDebugPrivilege	1188	csrss.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1568	csrss.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.execmd.execsrss.exeWScript.execsrss.exe

description	pid	process	target process
PID 840 wrote to memory of 968	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 968	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 968	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1392	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1392	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1392	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1960	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1960	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1960	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1600	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1600	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1600	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1688	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1688	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1688	840	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 840 wrote to memory of 1112	840	Ou6mS40OHrkbwQiM7ccaR.exe	cmd.exe
PID 840 wrote to memory of 1112	840	Ou6mS40OHrkbwQiM7ccaR.exe	cmd.exe
PID 840 wrote to memory of 1112	840	Ou6mS40OHrkbwQiM7ccaR.exe	cmd.exe
PID 1112 wrote to memory of 944	1112	cmd.exe	w32tm.exe
PID 1112 wrote to memory of 944	1112	cmd.exe	w32tm.exe
PID 1112 wrote to memory of 944	1112	cmd.exe	w32tm.exe
PID 1112 wrote to memory of 1188	1112	cmd.exe	csrss.exe
PID 1112 wrote to memory of 1188	1112	cmd.exe	csrss.exe
PID 1112 wrote to memory of 1188	1112	cmd.exe	csrss.exe
PID 1188 wrote to memory of 1940	1188	csrss.exe	WScript.exe
PID 1188 wrote to memory of 1940	1188	csrss.exe	WScript.exe
PID 1188 wrote to memory of 1940	1188	csrss.exe	WScript.exe
PID 1188 wrote to memory of 1912	1188	csrss.exe	WScript.exe
PID 1188 wrote to memory of 1912	1188	csrss.exe	WScript.exe
PID 1188 wrote to memory of 1912	1188	csrss.exe	WScript.exe
PID 1940 wrote to memory of 1568	1940	WScript.exe	csrss.exe
PID 1940 wrote to memory of 1568	1940	WScript.exe	csrss.exe
PID 1940 wrote to memory of 1568	1940	WScript.exe	csrss.exe
PID 1568 wrote to memory of 1168	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 1168	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 1168	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 1600	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 1600	1568	csrss.exe	WScript.exe
PID 1568 wrote to memory of 1600	1568	csrss.exe	WScript.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.exeOu6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Ou6mS40OHrkbwQiM7ccaR.exe

C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe
"C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHOHQdCd1x.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:944

C:\Windows\Fonts\csrss.exe
"C:\Windows\Fonts\csrss.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70d47fa-52a9-446f-88ea-3fdee8c9bff9.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Fonts\csrss.exe
C:\Windows\Fonts\csrss.exe
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58bdb497-4497-453e-830b-04b46ba93916.vbs"
6⤵
PID:1168

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0ba9525-af4e-40c5-aa4d-682f2977cda8.vbs"
6⤵
PID:1600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260c94fe-b91d-4999-a7a9-6a0b51c97068.vbs"
4⤵
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ou6mS40OHrkbwQiM7ccaRO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ou6mS40OHrkbwQiM7ccaR" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ou6mS40OHrkbwQiM7ccaRO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\Ou6mS40OHrkbwQiM7ccaR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\055c36409d87a5242b93633aadd0b517755bd2cc.exe
Filesize
2.4MB

MD5
a400fac7e63494249f432fd54568d476

SHA1
9504b1aa444168faa8d7dbebdbb5b83414d8aa7f

SHA256
0a64bb7e52e8363fee7371effe758c7d8fcc8aa3ae2c734c94e10289f3875afb

SHA512
c060f18a8be83fa89624a99efb88224af8c7c4b8ffab949db80e0b1e74b5a87b9be91d3abb174c63f1ee98f99074ef41d41ee6c6aa5edbde10e506d566a884f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\260c94fe-b91d-4999-a7a9-6a0b51c97068.vbs
Filesize
478B

MD5
60ab63a014f4108aab99d3812070d6cc

SHA1
9c56133b7b7289048ba204dbf5c66e3d83eb6e42

SHA256
52bf2bf29df7d44d8442295cd703a5957f9af74ececd19b3cb2f59fc05f87c43

SHA512
51b7b954443e44906b5a19d0f6f29c1f8cf5b4fbcb93839a2b1cdb42a79a19b117ef342da30d23471a10d4d0245875a08c91de56e9d52e73ef2c7dead1520d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\58bdb497-4497-453e-830b-04b46ba93916.vbs
Filesize
702B

MD5
44adacaaebf146f6422e227a2fcd4623

SHA1
734998cfff26cb135b1a36fdb7c735e03446a3d1

SHA256
5ced018c59d0c1207a583d23fb3c74785508efa6886489730c8d3e98647348f8

SHA512
12699141733e3a77913957ab3f5bd0cb2f68cd17c51336c6f0ff0a1eed82c76b5e71261810d5f7ffd5c331e1b53d3dc8bb8935a75d8147df3bf2799c4692c346

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHOHQdCd1x.bat
Filesize
191B

MD5
ad521e1da4a02e51f9ed9041f6346c32

SHA1
f55d38dad95156d53e6baf9bb51d1f35ac3ef6bc

SHA256
5410f3e2dd324ed2cf9050e92937346d396b97d7711d3bbb6ff972b2313e1dde

SHA512
a40373f85edcbffa5703119ba5c8f2b42f0892e35a11b265dac583c21aa9a34ad1e8eb6a93d3779331f6078b44cc76fb0d00cc6955559dddc079bdbe9b272d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a70d47fa-52a9-446f-88ea-3fdee8c9bff9.vbs
Filesize
702B

MD5
f1902a24469c6cf4fcc7759c19d98f31

SHA1
c0b7166143dc669bd7c64644d226738f4810ea43

SHA256
b73a36819dc96322286cb5b729f39edb9941aa1bbd3858e93f068b5200535d0a

SHA512
84c8a04846891331c2a52c1910b51036c73dd49337b548080557aab9c9f47e8f01cf5538fe1ff3c46fe8799ecb6b4cff8f5ab44d6a9129f3c782102e6e8dcc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ba9525-af4e-40c5-aa4d-682f2977cda8.vbs
Filesize
478B

MD5
60ab63a014f4108aab99d3812070d6cc

SHA1
9c56133b7b7289048ba204dbf5c66e3d83eb6e42

SHA256
52bf2bf29df7d44d8442295cd703a5957f9af74ececd19b3cb2f59fc05f87c43

SHA512
51b7b954443e44906b5a19d0f6f29c1f8cf5b4fbcb93839a2b1cdb42a79a19b117ef342da30d23471a10d4d0245875a08c91de56e9d52e73ef2c7dead1520d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
11f71f313956ebd28329ee45f14c5af4

SHA1
90a23b0d41b14c9f6f6266e0430b7f30680d46e0

SHA256
3819e7ae8d9a9098bd0da936c4cdcd41bd9dec6f81be60a79c25f606f523d7b6

SHA512
27d2eb0c5a6dd345def2060f21ad849d712cc08a8ddf8ac706db654cc0d1f0e18a4689a81e5874cc982c2e8a92bc8bffbd6aafdb8a7dceb8f1ca9159f784d7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
11f71f313956ebd28329ee45f14c5af4

SHA1
90a23b0d41b14c9f6f6266e0430b7f30680d46e0

SHA256
3819e7ae8d9a9098bd0da936c4cdcd41bd9dec6f81be60a79c25f606f523d7b6

SHA512
27d2eb0c5a6dd345def2060f21ad849d712cc08a8ddf8ac706db654cc0d1f0e18a4689a81e5874cc982c2e8a92bc8bffbd6aafdb8a7dceb8f1ca9159f784d7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
11f71f313956ebd28329ee45f14c5af4

SHA1
90a23b0d41b14c9f6f6266e0430b7f30680d46e0

SHA256
3819e7ae8d9a9098bd0da936c4cdcd41bd9dec6f81be60a79c25f606f523d7b6

SHA512
27d2eb0c5a6dd345def2060f21ad849d712cc08a8ddf8ac706db654cc0d1f0e18a4689a81e5874cc982c2e8a92bc8bffbd6aafdb8a7dceb8f1ca9159f784d7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
11f71f313956ebd28329ee45f14c5af4

SHA1
90a23b0d41b14c9f6f6266e0430b7f30680d46e0

SHA256
3819e7ae8d9a9098bd0da936c4cdcd41bd9dec6f81be60a79c25f606f523d7b6

SHA512
27d2eb0c5a6dd345def2060f21ad849d712cc08a8ddf8ac706db654cc0d1f0e18a4689a81e5874cc982c2e8a92bc8bffbd6aafdb8a7dceb8f1ca9159f784d7ef

Download Submit
C:\Windows\Fonts\csrss.exe
Filesize
2.4MB

MD5
a400fac7e63494249f432fd54568d476

SHA1
9504b1aa444168faa8d7dbebdbb5b83414d8aa7f

SHA256
0a64bb7e52e8363fee7371effe758c7d8fcc8aa3ae2c734c94e10289f3875afb

SHA512
c060f18a8be83fa89624a99efb88224af8c7c4b8ffab949db80e0b1e74b5a87b9be91d3abb174c63f1ee98f99074ef41d41ee6c6aa5edbde10e506d566a884f5

Download Submit
C:\Windows\Fonts\csrss.exe
Filesize
2.4MB

MD5
a400fac7e63494249f432fd54568d476

SHA1
9504b1aa444168faa8d7dbebdbb5b83414d8aa7f

SHA256
0a64bb7e52e8363fee7371effe758c7d8fcc8aa3ae2c734c94e10289f3875afb

SHA512
c060f18a8be83fa89624a99efb88224af8c7c4b8ffab949db80e0b1e74b5a87b9be91d3abb174c63f1ee98f99074ef41d41ee6c6aa5edbde10e506d566a884f5

Download Submit
C:\Windows\Fonts\csrss.exe
Filesize
2.4MB

MD5
a400fac7e63494249f432fd54568d476

SHA1
9504b1aa444168faa8d7dbebdbb5b83414d8aa7f

SHA256
0a64bb7e52e8363fee7371effe758c7d8fcc8aa3ae2c734c94e10289f3875afb

SHA512
c060f18a8be83fa89624a99efb88224af8c7c4b8ffab949db80e0b1e74b5a87b9be91d3abb174c63f1ee98f99074ef41d41ee6c6aa5edbde10e506d566a884f5

Download Submit
memory/840-67-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/840-62-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/840-69-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/840-70-0x000000001AD80000-0x000000001AD88000-memory.dmp

Filesize
32KB

Download
memory/840-71-0x000000001AD90000-0x000000001AD9A000-memory.dmp

Filesize
40KB

Download
memory/840-72-0x000000001ADA0000-0x000000001ADAE000-memory.dmp

Filesize
56KB

Download
memory/840-73-0x000000001ADB0000-0x000000001ADB8000-memory.dmp

Filesize
32KB

Download
memory/840-74-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

Filesize
48KB

Download
memory/840-75-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/840-55-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/840-54-0x0000000001350000-0x00000000015BA000-memory.dmp

Filesize
2.4MB

Download
memory/840-56-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/840-66-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/840-65-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/840-57-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/840-58-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/840-64-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/840-63-0x0000000001300000-0x0000000001356000-memory.dmp

Filesize
344KB

Download
memory/840-59-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/840-68-0x000000001AD70000-0x000000001AD7C000-memory.dmp

Filesize
48KB

Download
memory/840-61-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/840-60-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/944-92-0x0000000000000000-mapping.dmp

Download
memory/968-120-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/968-76-0x0000000000000000-mapping.dmp

Download
memory/968-119-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/968-100-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/968-97-0x000007FEF5260000-0x000007FEF5DBD000-memory.dmp

Filesize
11.4MB

Download
memory/968-121-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/968-86-0x000007FEEAB10000-0x000007FEEB533000-memory.dmp

Filesize
10.1MB

Download
memory/1112-83-0x0000000000000000-mapping.dmp

Download
memory/1168-143-0x0000000000000000-mapping.dmp

Download
memory/1188-105-0x0000000000000000-mapping.dmp

Download
memory/1188-127-0x000000001B1D6000-0x000000001B1F5000-memory.dmp

Filesize
124KB

Download
memory/1188-108-0x00000000002F0000-0x000000000055A000-memory.dmp

Filesize
2.4MB

Download
memory/1188-138-0x000000001B1D6000-0x000000001B1F5000-memory.dmp

Filesize
124KB

Download
memory/1188-112-0x0000000002040000-0x0000000002096000-memory.dmp

Filesize
344KB

Download
memory/1188-113-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/1188-114-0x000000001B1D6000-0x000000001B1F5000-memory.dmp

Filesize
124KB

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1392-81-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1392-96-0x000007FEF5260000-0x000007FEF5DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1392-135-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1392-130-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1392-136-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1392-116-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1392-99-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1392-87-0x000007FEEAB10000-0x000007FEEB533000-memory.dmp

Filesize
10.1MB

Download
memory/1568-141-0x00000000000B0000-0x000000000031A000-memory.dmp

Filesize
2.4MB

Download
memory/1568-142-0x000000001ACB6000-0x000000001ACD5000-memory.dmp

Filesize
124KB

Download
memory/1568-139-0x0000000000000000-mapping.dmp

Download
memory/1568-148-0x000000001ACB6000-0x000000001ACD5000-memory.dmp

Filesize
124KB

Download
memory/1568-149-0x000000001ACE4000-0x000000001ACE8000-memory.dmp

Filesize
16KB

Download
memory/1600-131-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/1600-145-0x0000000000000000-mapping.dmp

Download
memory/1600-101-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/1600-79-0x0000000000000000-mapping.dmp

Download
memory/1600-95-0x000007FEEAB10000-0x000007FEEB533000-memory.dmp

Filesize
10.1MB

Download
memory/1600-118-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1600-115-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/1600-98-0x000007FEF5260000-0x000007FEF5DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1688-117-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1688-122-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1688-134-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1688-132-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1688-111-0x000007FEF5260000-0x000007FEF5DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1688-110-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1688-109-0x000007FEEAB10000-0x000007FEEB533000-memory.dmp

Filesize
10.1MB

Download
memory/1688-133-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1688-80-0x0000000000000000-mapping.dmp

Download
memory/1912-126-0x0000000000000000-mapping.dmp

Download
memory/1940-125-0x0000000000000000-mapping.dmp

Download
memory/1960-124-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1960-123-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1960-102-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1960-94-0x000007FEEAB10000-0x000007FEEB533000-memory.dmp

Filesize
10.1MB

Download
memory/1960-78-0x0000000000000000-mapping.dmp

Download
memory/1960-137-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1960-103-0x000007FEF5260000-0x000007FEF5DBD000-memory.dmp

Filesize
11.4MB

Download