Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 18:39
Behavioral task
behavioral1
Sample
28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe
Resource
win10v2004-20240226-en
General
-
Target
28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe
-
Size
2.0MB
-
MD5
03072d38c3624e9d7d83016a9069b2bd
-
SHA1
b6bc417dbb785265bbfdec6f5c8cb4b6928c1c2b
-
SHA256
28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
-
SHA512
f5300200abd8bec5d317f42617f90edd4243a9f4bd6aee05d61d72d331a4f71a13f7b118b49b9df8152bdf5b3cb6ea5711a0406b2ae5979d6579a8a2b75b2710
-
SSDEEP
49152:lqHEuTrhUqQcvwHnX9B0gQ1TgqAsoqbBmXob3:wHrUqQcvQnX9B0gQ1TgqAsRVmXob3
Malware Config
Signatures
-
DcRat 27 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
pid Process 2796 schtasks.exe 1124 schtasks.exe 312 schtasks.exe 2036 schtasks.exe 392 schtasks.exe 2968 schtasks.exe 2412 schtasks.exe 2064 schtasks.exe 304 schtasks.exe 2744 schtasks.exe 2484 schtasks.exe 1008 schtasks.exe 608 schtasks.exe 2604 schtasks.exe 324 schtasks.exe 3064 schtasks.exe 2708 schtasks.exe 2492 schtasks.exe 2860 schtasks.exe 2612 schtasks.exe 2676 schtasks.exe 368 schtasks.exe 380 schtasks.exe 1200 schtasks.exe 340 schtasks.exe 1776 schtasks.exe 2964 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2768 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2768 schtasks.exe 28 -
resource yara_rule behavioral1/memory/2200-0-0x0000000000380000-0x000000000058A000-memory.dmp dcrat behavioral1/files/0x000500000001948c-32.dat dcrat behavioral1/files/0x000500000001948c-194.dat dcrat behavioral1/memory/1972-197-0x00000000000A0000-0x00000000002AA000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 5 IoCs
resource yara_rule behavioral1/memory/2200-7-0x0000000000370000-0x0000000000380000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2200-13-0x0000000002120000-0x000000000212C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2200-15-0x00000000020E0000-0x00000000020EC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2200-20-0x0000000002140000-0x000000000214C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2200-21-0x0000000002150000-0x000000000215A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Executes dropped EXE 1 IoCs
pid Process 1972 csrss.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX85CC.tmp 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files\Windows Mail\it-IT\csrss.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files (x86)\Google\CrashReports\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCX7EB7.tmp 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files\Windows Mail\it-IT\886983d96e3d3e 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\5940a34987c991 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files\Windows Mail\it-IT\csrss.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\6203df4a6bafc7 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files\Windows Mail\it-IT\RCX7C94.tmp 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Program Files (x86)\Google\CrashReports\6203df4a6bafc7 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX834B.tmp 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Performance\WinSAT\DataStore\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Windows\Performance\WinSAT\DataStore\6203df4a6bafc7 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File created C:\Windows\CSC\v2.0.6\winlogon.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\RCX785E.tmp 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\lsass.exe 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 304 schtasks.exe 2492 schtasks.exe 2064 schtasks.exe 1200 schtasks.exe 312 schtasks.exe 2860 schtasks.exe 2612 schtasks.exe 608 schtasks.exe 340 schtasks.exe 1124 schtasks.exe 368 schtasks.exe 2968 schtasks.exe 324 schtasks.exe 1008 schtasks.exe 3064 schtasks.exe 2484 schtasks.exe 2604 schtasks.exe 2964 schtasks.exe 2036 schtasks.exe 2676 schtasks.exe 2796 schtasks.exe 2744 schtasks.exe 392 schtasks.exe 2412 schtasks.exe 2708 schtasks.exe 1776 schtasks.exe 380 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 948 powershell.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 1444 powershell.exe 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 2408 powershell.exe 1700 powershell.exe 1552 powershell.exe 3020 powershell.exe 768 powershell.exe 2844 powershell.exe 1028 powershell.exe 1292 powershell.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1972 csrss.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1552 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 56 PID 2200 wrote to memory of 1552 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 56 PID 2200 wrote to memory of 1552 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 56 PID 2200 wrote to memory of 1700 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 57 PID 2200 wrote to memory of 1700 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 57 PID 2200 wrote to memory of 1700 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 57 PID 2200 wrote to memory of 2844 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 58 PID 2200 wrote to memory of 2844 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 58 PID 2200 wrote to memory of 2844 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 58 PID 2200 wrote to memory of 1028 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 59 PID 2200 wrote to memory of 1028 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 59 PID 2200 wrote to memory of 1028 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 59 PID 2200 wrote to memory of 1444 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 60 PID 2200 wrote to memory of 1444 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 60 PID 2200 wrote to memory of 1444 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 60 PID 2200 wrote to memory of 1292 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 61 PID 2200 wrote to memory of 1292 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 61 PID 2200 wrote to memory of 1292 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 61 PID 2200 wrote to memory of 3020 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 62 PID 2200 wrote to memory of 3020 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 62 PID 2200 wrote to memory of 3020 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 62 PID 2200 wrote to memory of 768 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 63 PID 2200 wrote to memory of 768 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 63 PID 2200 wrote to memory of 768 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 63 PID 2200 wrote to memory of 948 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 64 PID 2200 wrote to memory of 948 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 64 PID 2200 wrote to memory of 948 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 64 PID 2200 wrote to memory of 2408 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 65 PID 2200 wrote to memory of 2408 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 65 PID 2200 wrote to memory of 2408 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 65 PID 2200 wrote to memory of 968 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 76 PID 2200 wrote to memory of 968 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 76 PID 2200 wrote to memory of 968 2200 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe 76 PID 968 wrote to memory of 1888 968 cmd.exe 78 PID 968 wrote to memory of 1888 968 cmd.exe 78 PID 968 wrote to memory of 1888 968 cmd.exe 78 PID 968 wrote to memory of 1972 968 cmd.exe 79 PID 968 wrote to memory of 1972 968 cmd.exe 79 PID 968 wrote to memory of 1972 968 cmd.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe"C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\services.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\wininit.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\csrss.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\lsass.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j1kG62r9vx.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1888
-
-
C:\Program Files\Windows Mail\it-IT\csrss.exe"C:\Program Files\Windows Mail\it-IT\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d7c82ee2fcf09658dc75abb4c3b307ef
SHA1caf69ffac1e03bb0e0716e03310266af526c5aea
SHA25653e6c84280f40dff864dcd565916bf5377135c2d53a66cf3c52f5687b86ef0c4
SHA51266f8bbecc9f6ba5204e3f135184ada51258a0629e23486e681c2b6a01d22f72d0b96de9cfa7165884c4d22bec17b1fa6efb2c33ccd218c73f56ba4377491e441
-
Filesize
2.0MB
MD503072d38c3624e9d7d83016a9069b2bd
SHA1b6bc417dbb785265bbfdec6f5c8cb4b6928c1c2b
SHA25628b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
SHA512f5300200abd8bec5d317f42617f90edd4243a9f4bd6aee05d61d72d331a4f71a13f7b118b49b9df8152bdf5b3cb6ea5711a0406b2ae5979d6579a8a2b75b2710
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
210B
MD5cee18913801ef5a64e8266e64ba6c898
SHA1c65450c201ba59a4c2fec8e5e44ae1f51eba19cc
SHA2568cde01e053a0fb1ce76f08c39c564b23187e2b4a9cbeaa894e1fa082e5480ebc
SHA512890d27b8ade33aee52ef5134b71aa7dcc65fdf3cc2aedd89b1f486e0c7984755fc1b294d808e7dc575715dceff2bf176c586e2c6158ac6e89b4cfc5d84a3228c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52671fb1e9f68ecde59ee95c2a1067724
SHA1d236555ce158c864745dab9cf02bddc9ac09ba61
SHA256b4293fe18fd0c78188e10af094b41d36030ad1e4e09594514c37cef4a46c4b83
SHA51294cfb328010f1a1b15122ab4fc701382d0fe80d61c81015f954b406e33d91672b5ea11f308fd5f78b7e744b61fadb5251943e819fe578db1cf614d81a3640d52