dcrat | 326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88

Analysis

max time kernel
120s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 09:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2059b153136de16e58e27a8549dac1b5.exe
Size

1.1MB
MD5

2059b153136de16e58e27a8549dac1b5
SHA1

47f7fdbee2c963e63b52cac18bc5b9bed9b7c10c
SHA256

326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
SHA512

4c2fea8436618c98cae0de3f1cc99dd26de6f84472eba496e49328f9354d3d10adbbb58b6867e35a1047deadd2bf4a9622c7328b7ffc7d1a280bc590015fa50e
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbDEq7n2lBvR0dWfExtTWmOfcziDi+CUF9q:u2G/nvxW3WieCDHWBvNCtbskUF9q

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2700	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2700	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015c70-11.dat	dcrat
behavioral1/files/0x0008000000015c70-12.dat	dcrat
behavioral1/memory/2848-13-0x0000000000920000-0x00000000009F6000-memory.dmp	dcrat
behavioral1/files/0x00060000000167ed-20.dat	dcrat
behavioral1/files/0x0007000000015ca3-47.dat	dcrat
behavioral1/memory/2172-48-0x0000000000810000-0x00000000008E6000-memory.dmp	dcrat
behavioral1/memory/2172-50-0x000000001AF10000-0x000000001AF90000-memory.dmp	dcrat
behavioral1/memory/2172-53-0x000000001AF10000-0x000000001AF90000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2848	runtimesvc.exe
2172	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cb0b6c459d5d3	runtimesvc.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	runtimesvc.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	runtimesvc.exe
File created	C:\Program Files\Common Files\cmd.exe	runtimesvc.exe
File created	C:\Program Files\Common Files\ebf1f9fa8afd6d	runtimesvc.exe
File created	C:\Program Files\Java\Idle.exe	runtimesvc.exe
File created	C:\Program Files\Java\6ccacd8608530f	runtimesvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\Idle.exe	runtimesvc.exe
File created	C:\Windows\Logs\CBS\6ccacd8608530f	runtimesvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2544	schtasks.exe
1052	schtasks.exe
2428	schtasks.exe
1012	schtasks.exe
2056	schtasks.exe
848	schtasks.exe
2912	schtasks.exe
1348	schtasks.exe
632	schtasks.exe
1764	schtasks.exe
2096	schtasks.exe
2560	schtasks.exe
692	schtasks.exe
2244	schtasks.exe
2360	schtasks.exe
2468	schtasks.exe
2632	schtasks.exe
2040	schtasks.exe
720	schtasks.exe
1336	schtasks.exe
2884	schtasks.exe
2908	schtasks.exe
524	schtasks.exe
1904	schtasks.exe
1140	schtasks.exe
2596	schtasks.exe
2372	schtasks.exe
1920	schtasks.exe
1312	schtasks.exe
1664	schtasks.exe
1520	schtasks.exe
1376	schtasks.exe
680	schtasks.exe
2660	schtasks.exe
2120	schtasks.exe
2404	schtasks.exe
1688	schtasks.exe
2964	schtasks.exe
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2848	runtimesvc.exe
2848	runtimesvc.exe
2848	runtimesvc.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe
2172	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	runtimesvc.exe
Token: SeDebugPrivilege	2172	Idle.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2656	2272	2059b153136de16e58e27a8549dac1b5.exe	28
PID 2272 wrote to memory of 2656	2272	2059b153136de16e58e27a8549dac1b5.exe	28
PID 2272 wrote to memory of 2656	2272	2059b153136de16e58e27a8549dac1b5.exe	28
PID 2272 wrote to memory of 2656	2272	2059b153136de16e58e27a8549dac1b5.exe	28
PID 2656 wrote to memory of 2780	2656	WScript.exe	29
PID 2656 wrote to memory of 2780	2656	WScript.exe	29
PID 2656 wrote to memory of 2780	2656	WScript.exe	29
PID 2656 wrote to memory of 2780	2656	WScript.exe	29
PID 2780 wrote to memory of 2848	2780	cmd.exe	31
PID 2780 wrote to memory of 2848	2780	cmd.exe	31
PID 2780 wrote to memory of 2848	2780	cmd.exe	31
PID 2780 wrote to memory of 2848	2780	cmd.exe	31
PID 2848 wrote to memory of 2172	2848	runtimesvc.exe	72
PID 2848 wrote to memory of 2172	2848	runtimesvc.exe	72
PID 2848 wrote to memory of 2172	2848	runtimesvc.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe
"C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\hypersurrogatesavesIntonet\runtimesvc.exe
      "C:\hypersurrogatesavesIntonet\runtimesvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe
        
        "C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\hypersurrogatesavesIntonet\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\hypersurrogatesavesIntonet\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\CBS\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\hypersurrogatesavesIntonet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\hypersurrogatesavesIntonet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\cmd.exe

Filesize
827KB

MD5
ed66730e6ae871c628540ae1d707ffa4

SHA1
724a5d4a86e5af83df6c309fa4a5908a115f149d

SHA256
17431781b4d634c1a6f0e6265fdafcdf9eb122ad54f39a35a65ad0aca9a90767

SHA512
3260f29bd032a76fd4e36be67dafc0edaa57f4d39afbd673611064180b3340870757c867bc010531e98f39c384af5fdb1fe3bb4cd872918e8ca5bc11408bddb7

Download Submit
C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe

Filesize
64KB

MD5
a40e818c1eacaf132e8e00ed6a26e75c

SHA1
628a975dc8048f303919f8ae741c44faabc5591e

SHA256
54aa4143898dfe6293f69f329eaf52b6c22969cc69cba1c971da51e7b53bfd4f

SHA512
2490db7d1cde7d7a97de16b511d3a032bc3948de6a2f828e456d7e1128bb5e0d49452559f282d51d78a888e3d7d0d6ed0c7247f889e92913f0e1ac99c387e306

Download Submit
C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat

Filesize
46B

MD5
ccbd5a0fde012049bf4e8b28566ca30e

SHA1
8df48a4a6319201e65fcc50925d0eb9f505fa949

SHA256
dd75a7f5f37127d0dfbfb6fac014b6345e318ec09197b42a32930fe902a38bcd

SHA512
ee34c5e259c8593eee2730d5f2e263fde14f70c47404b7743fea15ced052817f98daea57e1bd46f6fd2a98f4a12f02a85f39402d112d46053d77692732510baf

Download Submit
C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe

Filesize
212B

MD5
8671b76c7387f72afcf00a18a32c3cbd

SHA1
6e4d2251cfca5b7673e0419703aaef91c4329210

SHA256
b5d7aa554ff2815f7b664ec2b777944acef1438987876cb55183378059e18a32

SHA512
0c096f044ce9bc7f75a691ce5b51f30ed8fbf1d559ae5ce5c30a08d9f1a9060cefd56029829c82fbc7c0a296dddb41f02dd912aae3e38e0615e273bf601a3b48

Download Submit
C:\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
86KB

MD5
bc2eaa890050e5b0d3d8c123c5c6b625

SHA1
4258e9657128835e01eab505f46b3c927150b116

SHA256
bfa276981b833169eae7dac8b4af3729fd8f11e851400f2d1a106e2260e492d0

SHA512
e437ee2f458760102e2eada03c6e273365d6215a415f76bc3b4bfa881946554929a82d1bb729808daef9a2bf4673313d5b7d503095bc4416de18eb84c4900d75

Download Submit
\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
128KB

MD5
3ae9cf3e305d7427b4d243fbd32cdbf9

SHA1
137e25d82e13dc1921d4f161bf75dc458248c931

SHA256
ad4ba9a802469366f5ed209ddcdcc20156d16067af1777484aacfbffd5b39d51

SHA512
83233d7a78bb96527b720321a5b8db9896600420072f7c780ce8bb7b724485c8adacdbb12abf4aff6d0354df98b9d73c883fe55cc9aa4b2a30ee393cfd91e9f1

Download Submit
memory/2172-48-0x0000000000810000-0x00000000008E6000-memory.dmp

Filesize
856KB

Download
memory/2172-49-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-50-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/2172-52-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-53-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/2848-15-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2848-14-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-13-0x0000000000920000-0x00000000009F6000-memory.dmp

Filesize
856KB

Download
memory/2848-51-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download