dcrat | abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac

General

Target

09cacacf6eef86e62b26d5d1ca217c8e.exe
Size

2.6MB
MD5

09cacacf6eef86e62b26d5d1ca217c8e
SHA1

21520171163005980651861cea13fc6edc82d2da
SHA256

abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac
SHA512

fc90917fa408769cef02c977ff4a0f30a6b14e0fe0731a7ccd573c63da9523e48d58914c5a26b4f5d3d8faee47ea3d32ccbf5e462e802dd7b3cc23e6ad6fd4c6
SSDEEP

49152:ubA3jlSSI+tkWr2mvKSq32s+FBf4HrypMFQtwfRKSSutCn0:ubcSbWr2mLHyC8LSut1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4948	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4948	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\hyperchainagent\Surrogaterefnet.exe	dcrat
C:\hyperchainagent\Surrogaterefnet.exe	dcrat
behavioral2/memory/4060-145-0x0000000000600000-0x0000000000852000-memory.dmp	dcrat
C:\Recovery\WindowsRE\conhost.exe	dcrat
C:\Program Files\Windows Media Player\de-DE\services.exe	dcrat
C:\Program Files\Windows Media Player\de-DE\services.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

09cacacf6eef86e62b26d5d1ca217c8e.exeWScript.exeSurrogaterefnet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	09cacacf6eef86e62b26d5d1ca217c8e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Surrogaterefnet.exe

Executes dropped EXE 2 IoCs

Processes:

Surrogaterefnet.exeservices.exe

pid process

4060 Surrogaterefnet.exe
4164 services.exe

Drops file in Program Files directory 17 IoCs

Processes:

Surrogaterefnet.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe	Surrogaterefnet.exe
File created	C:\Program Files\VideoLAN\VLC\eddb19405b7ce1	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\27d1bcfc3c54e0	Surrogaterefnet.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\c82b8037eab33d	Surrogaterefnet.exe
File created	C:\Program Files\Windows Media Player\de-DE\services.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Reference Assemblies\9e8d7a4ca61bd9	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe	Surrogaterefnet.exe
File created	C:\Program Files\Windows Media Player\de-DE\c5b4cb5e9653cc	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884	Surrogaterefnet.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	Surrogaterefnet.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe	Surrogaterefnet.exe
File created	C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	Surrogaterefnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3712	schtasks.exe
4636	schtasks.exe
3900	schtasks.exe
3132	schtasks.exe
5032	schtasks.exe
1688	schtasks.exe
2832	schtasks.exe
4864	schtasks.exe
4980	schtasks.exe
4564	schtasks.exe
2628	schtasks.exe
4208	schtasks.exe
384	schtasks.exe
1544	schtasks.exe
3988	schtasks.exe
900	schtasks.exe
4648	schtasks.exe
1012	schtasks.exe
2660	schtasks.exe
740	schtasks.exe
4168	schtasks.exe
4444	schtasks.exe
1036	schtasks.exe
2116	schtasks.exe
4376	schtasks.exe
4424	schtasks.exe
788	schtasks.exe
4940	schtasks.exe
4996	schtasks.exe
2320	schtasks.exe
1864	schtasks.exe
388	schtasks.exe
2148	schtasks.exe
5044	schtasks.exe
2616	schtasks.exe
4816	schtasks.exe
2220	schtasks.exe
744	schtasks.exe
2888	schtasks.exe
3500	schtasks.exe
2212	schtasks.exe
4052	schtasks.exe

Modifies registry class 2 IoCs

Processes:

09cacacf6eef86e62b26d5d1ca217c8e.exeSurrogaterefnet.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	09cacacf6eef86e62b26d5d1ca217c8e.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	Surrogaterefnet.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Surrogaterefnet.exeservices.exe

pid	process
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4060	Surrogaterefnet.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe
4164	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

4164 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Surrogaterefnet.exeservices.exe

description pid process

Token: SeDebugPrivilege 4060 Surrogaterefnet.exe
Token: SeDebugPrivilege 4164 services.exe

pid	process
4164	services.exe

description	pid	process
Token: SeDebugPrivilege	4060	Surrogaterefnet.exe
Token: SeDebugPrivilege	4164	services.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

09cacacf6eef86e62b26d5d1ca217c8e.exeWScript.execmd.exeSurrogaterefnet.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1820	2020	09cacacf6eef86e62b26d5d1ca217c8e.exe	WScript.exe
PID 2020 wrote to memory of 1820	2020	09cacacf6eef86e62b26d5d1ca217c8e.exe	WScript.exe
PID 2020 wrote to memory of 1820	2020	09cacacf6eef86e62b26d5d1ca217c8e.exe	WScript.exe
PID 1820 wrote to memory of 3420	1820	WScript.exe	cmd.exe
PID 1820 wrote to memory of 3420	1820	WScript.exe	cmd.exe
PID 1820 wrote to memory of 3420	1820	WScript.exe	cmd.exe
PID 3420 wrote to memory of 4060	3420	cmd.exe	Surrogaterefnet.exe
PID 3420 wrote to memory of 4060	3420	cmd.exe	Surrogaterefnet.exe
PID 4060 wrote to memory of 1264	4060	Surrogaterefnet.exe	cmd.exe
PID 4060 wrote to memory of 1264	4060	Surrogaterefnet.exe	cmd.exe
PID 1264 wrote to memory of 4644	1264	cmd.exe	w32tm.exe
PID 1264 wrote to memory of 4644	1264	cmd.exe	w32tm.exe
PID 1264 wrote to memory of 4164	1264	cmd.exe	services.exe
PID 1264 wrote to memory of 4164	1264	cmd.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09cacacf6eef86e62b26d5d1ca217c8e.exe
"C:\Users\Admin\AppData\Local\Temp\09cacacf6eef86e62b26d5d1ca217c8e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperchainagent\hVasfh5Xz1.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hyperchainagent\DMBt2834kk6smlkgJa5RvPFxYK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\hyperchainagent\Surrogaterefnet.exe
      "C:\hyperchainagent\Surrogaterefnet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNI7NYrqvj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4644
      - C:\Program Files\Windows Media Player\de-DE\services.exe
        
        "C:\Program Files\Windows Media Player\de-DE\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\hyperchainagent\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hyperchainagent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\hyperchainagent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\hyperchainagent\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\hyperchainagent\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\hyperchainagent\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\de-DE\services.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Program Files\Windows Media Player\de-DE\services.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNI7NYrqvj.bat

Filesize
221B

MD5
6ab437681fecf0513d6eb66e43995f1d

SHA1
07bf3587525257b9c7502fc7bd3983d4aa3c9bb1

SHA256
d29baa188fc6299d47244cc837d42619e7173d905b0a1498d2f501dfca51683f

SHA512
f8fd4e4ae0ed2d792024ac3b831dbd6e2c92d65e8b908b1e7097437df5484d33fbb3404d52a4abf0dedea468a3a314b1022e24b55be97715fbbfa4c0e5bbeb86

Download Submit
C:\hyperchainagent\DMBt2834kk6smlkgJa5RvPFxYK.bat

Filesize
40B

MD5
9cbc6ed294d7df3d71188be1778d1e84

SHA1
49ea3428916b3fbbb817df9f40bd7fd3385dfb1e

SHA256
91bb54ba35c1ac167d6eedccd1b18f9178426f21aefcf14ac488e09dbb798af8

SHA512
7303ae61150beb18504db411371d2d6e0383f2f3e7a7e3f5f7e7feffa5cbce4fc9b1225474f57050c99f32d3adcbff7f8cab41e4f9edd78a5c26c15e95dea06a

Download Submit
C:\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\hyperchainagent\hVasfh5Xz1.vbe

Filesize
218B

MD5
16389aa806a3fd9a2322e3fbcddacede

SHA1
03c06c620f9717650013b8d2c30ca4a67d4e1939

SHA256
f2e9cef08cce338bbc9d5eea18059a3df236f4ca5a050bce564a94347dbc1742

SHA512
9d04db24f78c9a947510e32196d31380db479425cf52752231e1b0df44da43356c7e010f3dd9c79a446b05ca61ec35fbb2de5762f221b7aa1d9555d71555ea91

Download Submit
memory/4060-145-0x0000000000600000-0x0000000000852000-memory.dmp

Filesize
2.3MB

Download
memory/4060-146-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/4060-147-0x0000000002990000-0x00000000029E0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads