dcrat | 7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-03-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6590415fa189e9c982e883dc3bcdde.exe
Size

3.3MB
MD5

1d6590415fa189e9c982e883dc3bcdde
SHA1

8261a5718af6eb9ebee4e822e5bd0138f7915dc3
SHA256

7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
SHA512

304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e
SSDEEP

98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Score

10^/10

dcrat umbral evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000f0000000006fd-20.dat	family_umbral
behavioral1/memory/2556-22-0x0000000000EA0000-0x0000000000EE0000-memory.dmp	family_umbral

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2892	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2892	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000e00000001224c-45.dat	dcrat
behavioral1/files/0x0007000000015c0d-63.dat	dcrat
behavioral1/files/0x0007000000015c0d-66.dat	dcrat
behavioral1/files/0x0007000000015c0d-65.dat	dcrat
behavioral1/files/0x0007000000015c0d-64.dat	dcrat
behavioral1/memory/1028-68-0x0000000001330000-0x000000000169A000-memory.dmp	dcrat
behavioral1/files/0x000600000001704f-109.dat	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2556	Saransk.exe
1884	Injector.exe
1028	hyperInto.exe
2860	hyperInto.exe

Loads dropped DLL 2 IoCs

pid	Process
1816	cmd.exe
1816	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\it-IT\lsass.exe	hyperInto.exe
File created	C:\Program Files\Windows Sidebar\it-IT\6203df4a6bafc7	hyperInto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1316	schtasks.exe
836	schtasks.exe
2196	schtasks.exe
692	schtasks.exe
1848	schtasks.exe
2316	schtasks.exe
792	schtasks.exe
1356	schtasks.exe
1052	schtasks.exe
2156	schtasks.exe
1656	schtasks.exe
2332	schtasks.exe
1644	schtasks.exe
1968	schtasks.exe
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	powershell.exe
2476	powershell.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
1028	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe
2860	hyperInto.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	hyperInto.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	1d6590415fa189e9c982e883dc3bcdde.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2556	Saransk.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: SeDebugPrivilege	1028	hyperInto.exe
Token: SeDebugPrivilege	2860	hyperInto.exe
Token: SeBackupPrivilege	1284	vssvc.exe
Token: SeRestorePrivilege	1284	vssvc.exe
Token: SeAuditPrivilege	1284	vssvc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2960	2752	1d6590415fa189e9c982e883dc3bcdde.exe	29
PID 2752 wrote to memory of 2960	2752	1d6590415fa189e9c982e883dc3bcdde.exe	29
PID 2752 wrote to memory of 2960	2752	1d6590415fa189e9c982e883dc3bcdde.exe	29
PID 2752 wrote to memory of 2556	2752	1d6590415fa189e9c982e883dc3bcdde.exe	31
PID 2752 wrote to memory of 2556	2752	1d6590415fa189e9c982e883dc3bcdde.exe	31
PID 2752 wrote to memory of 2556	2752	1d6590415fa189e9c982e883dc3bcdde.exe	31
PID 2752 wrote to memory of 2476	2752	1d6590415fa189e9c982e883dc3bcdde.exe	32
PID 2752 wrote to memory of 2476	2752	1d6590415fa189e9c982e883dc3bcdde.exe	32
PID 2752 wrote to memory of 2476	2752	1d6590415fa189e9c982e883dc3bcdde.exe	32
PID 2752 wrote to memory of 1884	2752	1d6590415fa189e9c982e883dc3bcdde.exe	34
PID 2752 wrote to memory of 1884	2752	1d6590415fa189e9c982e883dc3bcdde.exe	34
PID 2752 wrote to memory of 1884	2752	1d6590415fa189e9c982e883dc3bcdde.exe	34
PID 2752 wrote to memory of 1884	2752	1d6590415fa189e9c982e883dc3bcdde.exe	34
PID 2556 wrote to memory of 2684	2556	Saransk.exe	35
PID 2556 wrote to memory of 2684	2556	Saransk.exe	35
PID 2556 wrote to memory of 2684	2556	Saransk.exe	35
PID 1884 wrote to memory of 2092	1884	Injector.exe	37
PID 1884 wrote to memory of 2092	1884	Injector.exe	37
PID 1884 wrote to memory of 2092	1884	Injector.exe	37
PID 1884 wrote to memory of 2092	1884	Injector.exe	37
PID 1884 wrote to memory of 1428	1884	Injector.exe	38
PID 1884 wrote to memory of 1428	1884	Injector.exe	38
PID 1884 wrote to memory of 1428	1884	Injector.exe	38
PID 1884 wrote to memory of 1428	1884	Injector.exe	38
PID 2092 wrote to memory of 1816	2092	WScript.exe	39
PID 2092 wrote to memory of 1816	2092	WScript.exe	39
PID 2092 wrote to memory of 1816	2092	WScript.exe	39
PID 2092 wrote to memory of 1816	2092	WScript.exe	39
PID 1816 wrote to memory of 1028	1816	cmd.exe	41
PID 1816 wrote to memory of 1028	1816	cmd.exe	41
PID 1816 wrote to memory of 1028	1816	cmd.exe	41
PID 1816 wrote to memory of 1028	1816	cmd.exe	41
PID 1028 wrote to memory of 2860	1028	hyperInto.exe	59
PID 1028 wrote to memory of 2860	1028	hyperInto.exe	59
PID 1028 wrote to memory of 2860	1028	hyperInto.exe	59
PID 2860 wrote to memory of 2072	2860	hyperInto.exe	60
PID 2860 wrote to memory of 2072	2860	hyperInto.exe	60
PID 2860 wrote to memory of 2072	2860	hyperInto.exe	60
PID 2860 wrote to memory of 1252	2860	hyperInto.exe	61
PID 2860 wrote to memory of 1252	2860	hyperInto.exe	61
PID 2860 wrote to memory of 1252	2860	hyperInto.exe	61

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d6590415fa189e9c982e883dc3bcdde.exe
"C:\Users\Admin\AppData\Local\Temp\1d6590415fa189e9c982e883dc3bcdde.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\Saransk.exe
  "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Chainnet\hyperInto.exe
        
        "C:\Chainnet\hyperInto.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1028
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\hyperInto.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\hyperInto.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24d54ce-77be-4d55-bb64-2c664d70a6cd.vbs"
        7⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4715dc53-f29a-4b91-9a4c-278126c78652.vbs"
        7⤵
        
        PID:1252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"
    3⤵
    PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\hyperInto.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\hyperInto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\hyperInto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Chainnet\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Chainnet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Chainnet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Chainnet\8f9Z3.vbe

Filesize
206B

MD5
b3080903ab3740f3f1346f2f61834c2b

SHA1
a5b37c9ea7a58c9194de44382d75dc4863d3d5b7

SHA256
505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1

SHA512
a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419

Download Submit
C:\Chainnet\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Chainnet\hyperInto.exe

Filesize
2.6MB

MD5
410896fce88af2c25966014a8006e687

SHA1
05ab7e4b5da062f148974362b0a6d071dc8ea967

SHA256
85b177a2015f3146b30199178d98f62e44b81da8b305924d685224634c0bcfe0

SHA512
ca9ecd91b191d311f178036c6cec197811d6fe1c7d014c0eb745a3a634a2f2c1c96922f46ab65b5fd91f6f22fdcca313fb6d910b1b523c0ef4a5fc4805dd2f9e

Download Submit
C:\Chainnet\hyperInto.exe

Filesize
1.9MB

MD5
fcdd50184c2c8d900982e8da5861ed5e

SHA1
b7b68d5f5b0a6a789e116c1d6c8764bb3b3398c2

SHA256
790dade2531a876d23332ddeb43c76cca15b2f692a119577baad606734d41e00

SHA512
8ae52872961b53df1e22014e31212a133c0d7e1c1675b9c8a0880b69ae081e9ad6326dae7c68651b2ae76ebc9765e640301bdc92c583b540a22e6fd72bc2a7c3

Download Submit
C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat

Filesize
27B

MD5
94db4d897ca54289c945a06574084128

SHA1
d4168950c994dacea1402a9570a4735350b86c10

SHA256
a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461

SHA512
2548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a

Download Submit
C:\Program Files\Windows Sidebar\it-IT\lsass.exe

Filesize
3.4MB

MD5
d63861446161da73423a6378ab06af5e

SHA1
8d3116fa2ac5d4e7fb9684498f69edf3e976f977

SHA256
c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd

SHA512
7bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\4715dc53-f29a-4b91-9a4c-278126c78652.vbs

Filesize
537B

MD5
cea84c7414bbbbfafefe994987832fec

SHA1
af0b68ffe1c19b7e7424244237d5fa03527dbb0f

SHA256
d932c7be7913d1a456beb2382fb0dbaf1a9526b2afb6057e2bd0860d9d15a0a4

SHA512
f870f666e6c32afd33561b1cd9d254dd2e720053585a0401b5e3d9709f933e15870ebbc38e9d7726cca2d048e68f787c9a1c21a5cc5130de3de23f78beefe378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.7MB

MD5
323e22b442e4d4f9930c5b65f6d1028c

SHA1
7dadf78756dd00c68d5094a59dc7bcccf3c8346d

SHA256
eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00

SHA512
2da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saransk.exe

Filesize
227KB

MD5
05c183f8c0d871d6081f1ea4096805e4

SHA1
4a05aba815c8471fca4fcc9a789683385b0c24ca

SHA256
eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

SHA512
ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347

Download Submit
C:\Users\Admin\AppData\Local\Temp\d24d54ce-77be-4d55-bb64-2c664d70a6cd.vbs

Filesize
761B

MD5
3878250957a3b7b406d0c0e854fa1059

SHA1
6d93cc50bbab9768b6b88252dc4d0e76868c6b0c

SHA256
3d00d18d9824bfb35cb765634935d993377598797b5664619f5bc8009c754b5d

SHA512
217c08dd7ef6fa00782414df4c40ef626b566f503179fe954cb6e58db35bf990661f19ba191edd617033d4fbd2f7e36b8d9c3070b799fbc49e2a4991bb255723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WB9C3TKMRLPL0X8LRCBG.temp

Filesize
7KB

MD5
4ca25847d6e345992b0c587c382b2bae

SHA1
64acd72ec6295498c2bf9a0dd637193fcaa4b959

SHA256
ef15f8c1e77e41f36a2a861242dacffd67f5edf48d95b87d7741352c915247eb

SHA512
c5488ae99a01faad108b9eede12b0ca3a48fc07e24d9e66d2aaf80e75403d709eb38b94a1b5f7b0381261e647a11ccf0cd6698bfb877b00e927a258e186845fb

Download Submit
\Chainnet\hyperInto.exe

Filesize
2.2MB

MD5
941f015cfc302632f66a94b67a9957a5

SHA1
0c55de5efb5c782eed981af04f3bd19b761f8ed6

SHA256
c52f629641faa4eb92a63880ac82488bf7ef66245016193f37f2e4f0e2b95284

SHA512
7e1a0da8497b3daf9a809cdcf35fa5b3557aa8c785e4bfa908bb12a6ae7ca0f5966a6ff7c46bceeec73bd4e751fc6cd2d7b1bbcc18f4091470c49e2bd82b2665

Download Submit
\Chainnet\hyperInto.exe

Filesize
2.3MB

MD5
c83781ecf532ccf22c4d8a835bbb0cc2

SHA1
626056c03fcc44b9d29043b8b3d4492d578686f2

SHA256
55edcd3ce6f37f7850a2e8c491d8961f8030552421e943a2399ce7bef7e51a83

SHA512
67efb25b46530a66647a03161147b8824ded02b4cd3a54bea34b7920b489ed3259240343fb8e75cac354159e9dcaeb0fcfc02585418174d6cf10897c4e95403e

Download Submit
memory/1028-87-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/1028-89-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/1028-103-0x000000001B130000-0x000000001B13A000-memory.dmp

Filesize
40KB

Download
memory/1028-102-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/1028-101-0x000000001B110000-0x000000001B11C000-memory.dmp

Filesize
48KB

Download
memory/1028-100-0x000000001B100000-0x000000001B108000-memory.dmp

Filesize
32KB

Download
memory/1028-99-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/1028-96-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/1028-98-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/1028-97-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/1028-95-0x00000000011F0000-0x00000000011FC000-memory.dmp

Filesize
48KB

Download
memory/1028-94-0x00000000011E0000-0x00000000011E8000-memory.dmp

Filesize
32KB

Download
memory/1028-93-0x00000000011D0000-0x00000000011DC000-memory.dmp

Filesize
48KB

Download
memory/1028-91-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/1028-92-0x00000000010C0000-0x00000000010CC000-memory.dmp

Filesize
48KB

Download
memory/1028-90-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/1028-88-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/1028-86-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/1028-85-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/1028-84-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/1028-83-0x0000000000E20000-0x0000000000E76000-memory.dmp

Filesize
344KB

Download
memory/1028-82-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/1028-81-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/1028-80-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/1028-67-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

Filesize
9.9MB

Download
memory/1028-68-0x0000000001330000-0x000000000169A000-memory.dmp

Filesize
3.4MB

Download
memory/1028-69-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1028-70-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/1028-71-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/1028-73-0x0000000000670000-0x000000000068C000-memory.dmp

Filesize
112KB

Download
memory/1028-72-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/1028-74-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1028-75-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1028-76-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/1028-78-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/1028-77-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1028-79-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2476-38-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/2476-29-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2476-31-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/2476-32-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2476-33-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2476-30-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2476-34-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/2476-36-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2476-37-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/2556-22-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/2556-61-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-23-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-41-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2752-0-0x0000000000E70000-0x00000000011BA000-memory.dmp

Filesize
3.3MB

Download
memory/2752-1-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-47-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-35-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-2-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2960-13-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/2960-8-0x000007FEEE520000-0x000007FEEEEBD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-12-0x000007FEEE520000-0x000007FEEEEBD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-9-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2960-11-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/2960-10-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/2960-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-14-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/2960-15-0x000007FEEE520000-0x000007FEEEEBD000-memory.dmp

Filesize
9.6MB

Download