dcrat | dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402

Analysis

max time kernel
4s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e27c65c632c88eb12cef32cbaf4645.exe
Size

3.7MB
MD5

b3e27c65c632c88eb12cef32cbaf4645
SHA1

80a1aa9872bb18bf0e47da6f4a3c77729503739f
SHA256

dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402
SHA512

4a17c489f663386f962835f4868ced34d0462e8b2f6f2c6c0f864178de42d5aeef5fc070392b8f9779704f8c4486ee7ae2cee22185183544f20cfa729f92095f
SSDEEP

49152:PbA31CZGtBT5fh8cPVlHiHXzufiQvFywW7sTUbqKKd71+Va6b7W6jerVuacXxtXe:PbZuBT5JNVxi3KfPQ9d78AacXEk+LVUO

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1976	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1976	schtasks.exe	33

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfMonitor.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014667-14.dat	dcrat
behavioral1/files/0x0007000000014667-17.dat	dcrat
behavioral1/files/0x0007000000014667-16.dat	dcrat
behavioral1/memory/2688-18-0x0000000000930000-0x0000000000C9A000-memory.dmp	dcrat
behavioral1/memory/1468-92-0x0000000000C80000-0x0000000000FEA000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2688	perfMonitor.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	cmd.exe
2616	cmd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	perfMonitor.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	perfMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1760	schtasks.exe
1516	schtasks.exe
812	schtasks.exe
328	schtasks.exe
1140	schtasks.exe
2224	schtasks.exe
1452	schtasks.exe
2240	schtasks.exe
1444	schtasks.exe
888	schtasks.exe
2332	schtasks.exe
1508	schtasks.exe
1544	schtasks.exe
2548	schtasks.exe
2272	schtasks.exe
820	schtasks.exe
1972	schtasks.exe
2088	schtasks.exe
1644	schtasks.exe
2352	schtasks.exe
2640	schtasks.exe
320	schtasks.exe
1656	schtasks.exe
2400	schtasks.exe
984	schtasks.exe
1088	schtasks.exe
2788	schtasks.exe
2212	schtasks.exe
2064	schtasks.exe
1844	schtasks.exe
2312	schtasks.exe
2852	schtasks.exe
1200	schtasks.exe
604	schtasks.exe
2132	schtasks.exe
1704	schtasks.exe
1472	schtasks.exe
2192	schtasks.exe
2944	schtasks.exe
2648	schtasks.exe
2116	schtasks.exe
1044	schtasks.exe
1212	schtasks.exe
1040	schtasks.exe
1320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	perfMonitor.exe
2688	perfMonitor.exe
2688	perfMonitor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	perfMonitor.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2808	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	28
PID 1740 wrote to memory of 2808	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	28
PID 1740 wrote to memory of 2808	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	28
PID 1740 wrote to memory of 2808	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	28
PID 1740 wrote to memory of 2348	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	29
PID 1740 wrote to memory of 2348	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	29
PID 1740 wrote to memory of 2348	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	29
PID 1740 wrote to memory of 2348	1740	b3e27c65c632c88eb12cef32cbaf4645.exe	29
PID 2808 wrote to memory of 2616	2808	WScript.exe	30
PID 2808 wrote to memory of 2616	2808	WScript.exe	30
PID 2808 wrote to memory of 2616	2808	WScript.exe	30
PID 2808 wrote to memory of 2616	2808	WScript.exe	30
PID 2616 wrote to memory of 2688	2616	cmd.exe	32
PID 2616 wrote to memory of 2688	2616	cmd.exe	32
PID 2616 wrote to memory of 2688	2616	cmd.exe	32
PID 2616 wrote to memory of 2688	2616	cmd.exe	32

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	perfMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	perfMonitor.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b3e27c65c632c88eb12cef32cbaf4645.exe
"C:\Users\Admin\AppData\Local\Temp\b3e27c65c632c88eb12cef32cbaf4645.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comweb\WJQNLTktExtEzRzmF.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\comweb\wAZLEh.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\comweb\perfMonitor.exe
      "C:\comweb\perfMonitor.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2688
    - - C:\Users\Default\lsm.exe
        
        "C:\Users\Default\lsm.exe"
        5⤵
        
        PID:1468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e43e2c-0e9d-43ad-986e-bc16619ed797.vbs"
        6⤵
        
        PID:2176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c21ca540-60ef-486a-baae-19e4d5a3c359.vbs"
        6⤵
        
        PID:1800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comweb\file.vbs"
  2⤵
  PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "perfMonitorp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\perfMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "perfMonitor" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\perfMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "perfMonitorp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\perfMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\comweb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\comweb\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\comweb\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\comweb\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\comweb\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default\Documents\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\comweb\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\comweb\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\comweb\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\comweb\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\comweb\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\comweb\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\comweb\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\comweb\WJQNLTktExtEzRzmF.vbe

Filesize
189B

MD5
d16733aaf8d56d9d781624aedf254f40

SHA1
ab730d9a5f03bee9ccc06e03779159101e6a8d5e

SHA256
248a0afbffe16a85424600dc674b39213b6a8543ccf50ae3b04ef90339e00fc6

SHA512
eb312960ffea878315d44434cb700b96a15d61da1a12d7f059c64377bda639bf354997a543c36ff117e85c7a446b62b05a164b0e124f687d9943f9e03b3fdae5

Download Submit
C:\comweb\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\comweb\perfMonitor.exe

Filesize
960KB

MD5
5c08c7744c4c1e6520f2d2b462360dcb

SHA1
f771f40ac5422e8448ff0ef8fa97c456ef2e23b0

SHA256
8031ad3148a3be42c3d7b7b320d34da96cf6b8569690fc9a8b1fd705d1d62021

SHA512
9197f2b4e54252289e6b763ebb12518319d1cea75351ca72e665c9cba0b0e57b46e215f058c777713581eb6fa506e5f2534b503a15133b9cdf689a2cc73a6d88

Download Submit
C:\comweb\wAZLEh.bat

Filesize
27B

MD5
91b82fc66629750d32192e4a70877af8

SHA1
316fe240b48e24116e8ec227b7b8b140669db6d0

SHA256
997a95f993ca0f1d52c5c7bf42b73fb4872902c7502ab9d7a06099a831148cd3

SHA512
5b008398d2c055aad62978f850c86b93c0e36a9515271b39bc2c107136499a0f1fbd32992b1d901ad192884312c47341357df88a17528eb1bddfd85530b18085

Download Submit
\comweb\perfMonitor.exe

Filesize
1.1MB

MD5
ec3b244ea9282c7f664fb30f99ed8bce

SHA1
85877d00231a26155bcfb055b98599f37aecca15

SHA256
a483f60b3c2adb3fb6a37643089444885c8548c966a81c583b20b2f20dcd6fde

SHA512
6f2276e94a2db872d6617786ad47e3bceb5af3b937e5f876d9b548f094868b454e2f3b7a87bbd3431a1d42a364d156dc9d85aab232b2e26891024399fe5a7da5

Download Submit
\comweb\perfMonitor.exe

Filesize
1.2MB

MD5
2fcbbc102198d85ae140e451a17b14dd

SHA1
edc4dc89ad69348e2ebcb44c411c8e8ba3e61f7b

SHA256
855f6ecce28e453326d78b191db7090782926f1f26842f5e0c39a7ab13ab6f6c

SHA512
2427b5e60a5bd9bfb2111dc67a4d2d2e5bb3dbba05c825a0adc50703b93070f49dab011c861bc2f5eaadd3de47eeaa88976048edc36756356581071a066c6904

Download Submit
memory/1468-95-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1468-96-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/1468-93-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-92-0x0000000000C80000-0x0000000000FEA000-memory.dmp

Filesize
3.4MB

Download
memory/1468-131-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1468-130-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1468-109-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2688-52-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

Filesize
48KB

Download
memory/2688-45-0x000000001AA70000-0x000000001AA78000-memory.dmp

Filesize
32KB

Download
memory/2688-32-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2688-33-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/2688-34-0x0000000002580000-0x00000000025D6000-memory.dmp

Filesize
344KB

Download
memory/2688-36-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2688-39-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/2688-44-0x000000001AA60000-0x000000001AA6C000-memory.dmp

Filesize
48KB

Download
memory/2688-50-0x000000001AAC0000-0x000000001AACE000-memory.dmp

Filesize
56KB

Download
memory/2688-55-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/2688-54-0x000000001AB00000-0x000000001AB0A000-memory.dmp

Filesize
40KB

Download
memory/2688-53-0x000000001AAF0000-0x000000001AAF8000-memory.dmp

Filesize
32KB

Download
memory/2688-94-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-22-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2688-51-0x000000001AAD0000-0x000000001AAD8000-memory.dmp

Filesize
32KB

Download
memory/2688-49-0x000000001AAB0000-0x000000001AAB8000-memory.dmp

Filesize
32KB

Download
memory/2688-48-0x000000001AAA0000-0x000000001AAAE000-memory.dmp

Filesize
56KB

Download
memory/2688-47-0x000000001AA90000-0x000000001AA9A000-memory.dmp

Filesize
40KB

Download
memory/2688-46-0x000000001AA80000-0x000000001AA8C000-memory.dmp

Filesize
48KB

Download
memory/2688-28-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2688-43-0x00000000025D0000-0x00000000025DC000-memory.dmp

Filesize
48KB

Download
memory/2688-42-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2688-41-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/2688-40-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2688-38-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/2688-37-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/2688-35-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2688-31-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2688-30-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2688-29-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2688-27-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2688-26-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2688-25-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2688-24-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2688-23-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2688-21-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2688-20-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2688-19-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-18-0x0000000000930000-0x0000000000C9A000-memory.dmp

Filesize
3.4MB

Download