dcrat | 5ad5e035ba717e1db0bf6b1dde36d4da4a25d6156c3f51ca8c44ed075b57c043

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHEAT and Bypass Matrix.exe
Size

2.8MB
MD5

642032685b8048204bf59668a7ed48c9
SHA1

910555e0aa8b52cc5210f6523bde469f0f3e90fc
SHA256

5ad5e035ba717e1db0bf6b1dde36d4da4a25d6156c3f51ca8c44ed075b57c043
SHA512

91cc4c1c41dab2442b9b73b4e3196c780738aca8d2a186c4d6c3e7b63c7d9bfafce56962ffb395d070c1b7ec1e3b709bcb59c14fb9f513d5106310f6bd77b20c
SSDEEP

49152:UbA30J2bjYDwitkxyOO1dHyWOdewRrirxMjvQI7OAax3Bd:UbNgjMJ2dyrybQI7Qzd

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1464	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1464	schtasks.exe	32

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000122e9-71.dat	dcrat
behavioral1/files/0x00080000000122e9-70.dat	dcrat
behavioral1/files/0x00080000000122e9-69.dat	dcrat
behavioral1/files/0x00080000000122e9-68.dat	dcrat
behavioral1/memory/512-72-0x00000000012A0000-0x0000000001530000-memory.dmp	dcrat
behavioral1/files/0x00080000000122f7-89.dat	dcrat
behavioral1/files/0x0008000000012305-102.dat	dcrat
behavioral1/files/0x0008000000012305-103.dat	dcrat
behavioral1/memory/1472-104-0x0000000000DD0000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/1472-105-0x000000001B260000-0x000000001B2E0000-memory.dmp	dcrat
behavioral1/memory/1472-106-0x000000001B260000-0x000000001B2E0000-memory.dmp	dcrat
behavioral1/memory/1472-173-0x000000001B260000-0x000000001B2E0000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
512	msSurrogateHost.exe
1472	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	cmd.exe
1000	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\skins\75a57c1bdf437c	msSurrogateHost.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe	msSurrogateHost.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\886983d96e3d3e	msSurrogateHost.exe
File created	C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe	msSurrogateHost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\conhost.exe	msSurrogateHost.exe
File created	C:\Windows\inf\088424020bedd6	msSurrogateHost.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe	msSurrogateHost.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\6ccacd8608530f	msSurrogateHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1036	schtasks.exe
1948	schtasks.exe
840	schtasks.exe
1612	schtasks.exe
1960	schtasks.exe
1968	schtasks.exe
676	schtasks.exe
1496	schtasks.exe
1776	schtasks.exe
1500	schtasks.exe
1824	schtasks.exe
1764	schtasks.exe
668	schtasks.exe
1240	schtasks.exe
1616	schtasks.exe
756	schtasks.exe
836	schtasks.exe
1700	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WMIADAP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WMIADAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WMIADAP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WMIADAP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WMIADAP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WMIADAP.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
512	msSurrogateHost.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe
1472	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	msSurrogateHost.exe
Token: SeDebugPrivilege	1472	WMIADAP.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1472	WMIADAP.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1864	1984	CHEAT and Bypass Matrix.exe	27
PID 1984 wrote to memory of 1864	1984	CHEAT and Bypass Matrix.exe	27
PID 1984 wrote to memory of 1864	1984	CHEAT and Bypass Matrix.exe	27
PID 1984 wrote to memory of 1864	1984	CHEAT and Bypass Matrix.exe	27
PID 1984 wrote to memory of 1752	1984	CHEAT and Bypass Matrix.exe	28
PID 1984 wrote to memory of 1752	1984	CHEAT and Bypass Matrix.exe	28
PID 1984 wrote to memory of 1752	1984	CHEAT and Bypass Matrix.exe	28
PID 1984 wrote to memory of 1752	1984	CHEAT and Bypass Matrix.exe	28
PID 1864 wrote to memory of 1000	1864	WScript.exe	29
PID 1864 wrote to memory of 1000	1864	WScript.exe	29
PID 1864 wrote to memory of 1000	1864	WScript.exe	29
PID 1864 wrote to memory of 1000	1864	WScript.exe	29
PID 1000 wrote to memory of 512	1000	cmd.exe	31
PID 1000 wrote to memory of 512	1000	cmd.exe	31
PID 1000 wrote to memory of 512	1000	cmd.exe	31
PID 1000 wrote to memory of 512	1000	cmd.exe	31
PID 512 wrote to memory of 1468	512	msSurrogateHost.exe	51
PID 512 wrote to memory of 1468	512	msSurrogateHost.exe	51
PID 512 wrote to memory of 1468	512	msSurrogateHost.exe	51
PID 1468 wrote to memory of 1988	1468	cmd.exe	53
PID 1468 wrote to memory of 1988	1468	cmd.exe	53
PID 1468 wrote to memory of 1988	1468	cmd.exe	53
PID 1468 wrote to memory of 1472	1468	cmd.exe	54
PID 1468 wrote to memory of 1472	1468	cmd.exe	54
PID 1468 wrote to memory of 1472	1468	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CHEAT and Bypass Matrix.exe
"C:\Users\Admin\AppData\Local\Temp\CHEAT and Bypass Matrix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\Q2YeCqE8qxd61K1ktFeXh5Nj.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\L2kmnRelizDcO70ipFvI.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe
      "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3D0ZldFac.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1988
      - C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\file.vbs"
  2⤵
  PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
C:\Program Files\VideoLAN\VLC\skins\WMIADAP.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8f9841e4ea896de79ef81e1e84ad38a2

SHA1
e84fabf6ec34b8416d83cdbf409e7ef52f41f51c

SHA256
6277e433f45f5aa4fc394629ef9419891188d68d1a2a2c60579778b64c9ee26f

SHA512
61bdfe322e847d4d1ae0c1c6469d0968bf46b5a4e1935b7d673e7ff9608e1eb865c4eb44baa4017ef02081efce3a5a1aa0f2f933c8c50c728d3f120f4cc56692

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6E2.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7F2.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3D0ZldFac.bat

Filesize
212B

MD5
37a315ea1eca4de3cad97d971e92867e

SHA1
dc6b435b02b02389188fbdc378b0e1dd8085695a

SHA256
099afa2659b7b6e67fd116403e8cf246c13b837299bf47e18d72c597e95b824d

SHA512
348c3ec2bf7701d4f0a37f729951b505acf83eae93cc45db5618cb3bd45defa116d756c9a9811d238cf7a7b65d130311452c394f0407fa9b51c6c397824fe237

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\L2kmnRelizDcO70ipFvI.bat

Filesize
60B

MD5
b6624ab28db92e8454896ba35912ab2f

SHA1
feeea3355fb8843473929109d7dd3e5086760e7e

SHA256
d67eb0c7b4677ac9994f1fdd1bac8f93f36118edade88f1621cdc5cf4cbc87b7

SHA512
49bdd3c3dd062b0c883d9df6cf3a91ad760fd2af7c27ddf17fd85b4deac749a61c98153ce17571c0edaad006a6ac3722a942cc11a34179360a9f0002776aa743

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\Q2YeCqE8qxd61K1ktFeXh5Nj.vbe

Filesize
233B

MD5
9719764b189e753dd43947095a6f02b7

SHA1
33e872f83f5370d00a3a462df8c273d23c11ccb0

SHA256
0dff1318f84f87d552e7e01a08de8da13ef87f048aa58ef6d5ce5d8fd3bc52d9

SHA512
7fd88d9f96bc9c26ef007c872f4221b2b2a0a04db505fbaaa89148be8720d65fc6edd7a5ffc411db58bb218f098158889874a1e19f0ba9b7511107220c512e03

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
C:\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
\Users\Admin\AppData\Roaming\msagentsessionruntimemonitor\msSurrogateHost.exe

Filesize
2.5MB

MD5
75136c00a06c6ee8c30e8a969fac27a9

SHA1
d4d02785c465a544573f6d113849d48f2ad35fed

SHA256
28c79c3f0bd6ee03025e4e4f61a2d25a00bebc0b1d3776bfabc824fc49013fcf

SHA512
187385d74f340932ba2b46970846e72f0da058a29f49a50879edde3aef17dc910ca49fb0ae24cc2d49745cd1f21c4450aa4f3d258b8a129918a51b217506af2d

Download Submit
memory/512-81-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/512-74-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/512-82-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/512-84-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/512-83-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/512-79-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/512-78-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/512-77-0x00000000005E0000-0x0000000000636000-memory.dmp

Filesize
344KB

Download
memory/512-76-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/512-72-0x00000000012A0000-0x0000000001530000-memory.dmp

Filesize
2.6MB

Download
memory/512-73-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/512-80-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/512-75-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/1472-106-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1472-105-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1472-104-0x0000000000DD0000-0x0000000001060000-memory.dmp

Filesize
2.6MB

Download
memory/1472-173-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1472-182-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1472-204-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1472-205-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download