dcrat | 99cd78f2a2b4d942eeb7de1fa2cd89963af80dbe8d59eac333ec8606da104e2e

Analysis

max time kernel
66s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
Size

1.6MB
MD5

a0fb4af03514fe70e036bbea624ea81f
SHA1

435f3ef79e360d89cab884e990a558722c9ce272
SHA256

82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b
SHA512

d3bc4a717f7057b4b2da642c6272f0d357dc0bdf39f898931491e409d4b58790a715138541668a56046c5332178ddb10fc439e5c4d0a7ac6825b82f34e9c268c
SSDEEP

24576:B2G/nvxW3WQnkHnDIlJzbBA5clWJG4kQy0ohgEGdHKK5Cu8Kc9mfCQbZ8/zARp:BbA37kHnDIbzi5MWjmuHNKQbi/E/

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1540	schtasks.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\PortfontWin\agentNet.exe	dcrat
C:\PortfontWin\agentNet.exe	dcrat
C:\PortfontWin\agentNet.exe	dcrat
\PortfontWin\agentNet.exe	dcrat
behavioral1/memory/1832-72-0x0000000000F50000-0x00000000010A0000-memory.dmp	dcrat
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\conhost.exe	dcrat
C:\PortfontWin\wininit.exe	dcrat
C:\PortfontWin\wininit.exe	dcrat
behavioral1/memory/1180-108-0x0000000001050000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/1180-109-0x000000001ACE0000-0x000000001AD60000-memory.dmp	dcrat
behavioral1/memory/1180-111-0x000000001ACE0000-0x000000001AD60000-memory.dmp	dcrat
behavioral1/memory/1180-117-0x000000001ACE0000-0x000000001AD60000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

agentNet.exewininit.exe

pid process

1832 agentNet.exe
1180 wininit.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

868 cmd.exe
868 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
868	cmd.exe
868	cmd.exe

Drops file in Program Files directory 6 IoCs

Processes:

agentNet.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\lsass.exe	agentNet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\6203df4a6bafc7	agentNet.exe
File created	C:\Program Files (x86)\MSBuild\sppsvc.exe	agentNet.exe
File created	C:\Program Files (x86)\MSBuild\0a1fd5f707cd16	agentNet.exe
File created	C:\Program Files (x86)\Microsoft Office\services.exe	agentNet.exe
File created	C:\Program Files (x86)\Microsoft Office\c5b4cb5e9653cc	agentNet.exe

Drops file in Windows directory 1 IoCs

Processes:

agentNet.exe

description ioc process

File created C:\Windows\Boot\taskhost.exe agentNet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Boot\taskhost.exe	agentNet.exe

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
548	schtasks.exe
700	schtasks.exe
644	schtasks.exe
916	schtasks.exe
1424	schtasks.exe
744	schtasks.exe
780	schtasks.exe
1700	schtasks.exe
780	schtasks.exe
1632	schtasks.exe
804	schtasks.exe
1288	schtasks.exe
1560	schtasks.exe
1256	schtasks.exe
280	schtasks.exe
1944	schtasks.exe
1120	schtasks.exe
1952	schtasks.exe
272	schtasks.exe
1568	schtasks.exe
1804	schtasks.exe
660	schtasks.exe
1944	schtasks.exe
1348	schtasks.exe
984	schtasks.exe
1752	schtasks.exe
1264	schtasks.exe
1164	schtasks.exe
1552	schtasks.exe
1272	schtasks.exe
1288	schtasks.exe
908	schtasks.exe
1924	schtasks.exe
824	schtasks.exe
1752	schtasks.exe
1480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

agentNet.exewininit.exe

pid	process
1832	agentNet.exe
1832	agentNet.exe
1832	agentNet.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe
1180	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentNet.exewininit.exe

description pid process

Token: SeDebugPrivilege 1832 agentNet.exe
Token: SeDebugPrivilege 1180 wininit.exe

description	pid	process
Token: SeDebugPrivilege	1832	agentNet.exe
Token: SeDebugPrivilege	1180	wininit.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exeWScript.execmd.exeagentNet.exe

description	pid	process	target process
PID 284 wrote to memory of 1256	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 1256	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 1256	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 1256	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 852	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 852	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 852	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 284 wrote to memory of 852	284	82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe	WScript.exe
PID 1256 wrote to memory of 868	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 868	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 868	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 868	1256	WScript.exe	cmd.exe
PID 868 wrote to memory of 1832	868	cmd.exe	agentNet.exe
PID 868 wrote to memory of 1832	868	cmd.exe	agentNet.exe
PID 868 wrote to memory of 1832	868	cmd.exe	agentNet.exe
PID 868 wrote to memory of 1832	868	cmd.exe	agentNet.exe
PID 1832 wrote to memory of 1180	1832	agentNet.exe	wininit.exe
PID 1832 wrote to memory of 1180	1832	agentNet.exe	wininit.exe
PID 1832 wrote to memory of 1180	1832	agentNet.exe	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe
"C:\Users\Admin\AppData\Local\Temp\82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\PortfontWin\ItIWhmVbvimfR.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868

C:\PortfontWin\agentNet.exe
"C:\PortfontWin\agentNet.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\PortfontWin\wininit.exe
"C:\PortfontWin\wininit.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortfontWin\file.vbs"
2⤵
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\DeviceSync\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DeviceSync\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\DeviceSync\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\PortfontWin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PortfontWin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\PortfontWin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Local\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Local\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortfontWin\ItIWhmVbvimfR.bat
Filesize
29B

MD5
fd0d6ddda55e2608a242669717a0d517

SHA1
294004545081c4634c07f7cca31819207588c310

SHA256
dd0a8c6636afc291a09f480b9294860f6412555b0bfda3808917eff3637a005d

SHA512
d23fddbf26c32b50c3fe3eb654da3ac25e84b7d5bf3501c682bac74f39295a58c1072dd02b97e340a0ec28e30c58ed1bb1448badb5e680baea4d6bce769215a0

Download Submit
C:\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe
Filesize
201B

MD5
d82d15119bf0f8e8e3077d786bcbbefb

SHA1
92a74c59f2984d8f7f9fcd22f44c463cc0177cbd

SHA256
1be73a1a92fa60e7ec1ab2b7777780d7f958c284b4c1596ea9ab5c3ad581e76f

SHA512
9aaa9dd3906c1b531b9c85f61b9da3d11f458f7eba22a4107fa4ed49868b45f1d0f804296f1ef35c62115d77204b99c235c9e6f504b65d752caf3f58c44eacaa

Download Submit
C:\PortfontWin\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\PortfontWin\wininit.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\wininit.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\conhost.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
memory/1180-108-0x0000000001050000-0x00000000011A0000-memory.dmp

Filesize
1.3MB

Download
memory/1180-109-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/1180-110-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1180-111-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/1180-117-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/1832-76-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/1832-77-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/1832-75-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/1832-74-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/1832-73-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/1832-72-0x0000000000F50000-0x00000000010A0000-memory.dmp

Filesize
1.3MB

Download