Overview

overview

10

Static

static

3

7803d28b1c...49.exe

windows7-x64

10

7803d28b1c...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe

  • Size

    3.3MB

  • MD5

    1d6590415fa189e9c982e883dc3bcdde

  • SHA1

    8261a5718af6eb9ebee4e822e5bd0138f7915dc3

  • SHA256

    7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649

  • SHA512

    304611cfa8c130dde5e4de5282d3d92a555b85d50889ea097dec9908d619c7d36ec28886c64aa0364d631c289d9bbf509c0ea0aeb7887c92fd91ee3d7834d07e

  • SSDEEP

    98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Score
10/10
dcratumbralevasioninfostealerratstealertrojan

Malware Config

Signatures

  • DcRat 55 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detects executables attemping to enumerate video devices using WMI 2 IoCs
  • Detects executables containing possible sandbox analysis VM names 2 IoCs
  • Detects executables containing possible sandbox analysis VM usernames 2 IoCs
  • Detects executables containing possible sandbox system UUIDs 2 IoCs
  • Detects executables packed with SmartAssembly 9 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe
    "C:\Users\Admin\AppData\Local\Temp\7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
      "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Chainnet\hyperInto.exe
            "C:\Chainnet\hyperInto.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3832
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AYr16Ny9Ob.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4796
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2236
                • C:\Chainnet\hyperInto.exe
                  "C:\Chainnet\hyperInto.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1572
                  • C:\Users\Admin\Downloads\RuntimeBroker.exe
                    "C:\Users\Admin\Downloads\RuntimeBroker.exe"
                    8⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:3880
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a60c3c52-a9e3-4096-8e10-cc56f8031787.vbs"
                      9⤵
                        PID:3088
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dadaa136-e3ac-40dd-8af1-245f96ae5553.vbs"
                        9⤵
                          PID:2256
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"
              3⤵
                PID:4552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\odt\TextInputHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3592
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1244
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4776
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4260
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Chainnet\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3280
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1236
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Chainnet\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3976
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\SppExtComObj.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\odt\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 6 /tr "'C:\odt\hyperInto.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperInto" /sc ONLOGON /tr "'C:\odt\hyperInto.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperIntoh" /sc MINUTE /mo 6 /tr "'C:\odt\hyperInto.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3592
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Chainnet\upfc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Chainnet\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Chainnet\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2284
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3896
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Windows\system32\wbem\WmiApSrv.exe
            C:\Windows\system32\wbem\WmiApSrv.exe
            1⤵
              PID:400

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Chainnet\8f9Z3.vbe
              Filesize

              206B

              MD5

              b3080903ab3740f3f1346f2f61834c2b

              SHA1

              a5b37c9ea7a58c9194de44382d75dc4863d3d5b7

              SHA256

              505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1

              SHA512

              a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419

              Download Submit

            • C:\Chainnet\file.vbs
              Filesize

              34B

              MD5

              677cc4360477c72cb0ce00406a949c61

              SHA1

              b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

              SHA256

              f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

              SHA512

              7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

              Download Submit

            • C:\Chainnet\hyperInto.exe
              Filesize

              3.4MB

              MD5

              d63861446161da73423a6378ab06af5e

              SHA1

              8d3116fa2ac5d4e7fb9684498f69edf3e976f977

              SHA256

              c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd

              SHA512

              7bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88

              Download Submit

            • C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat
              Filesize

              27B

              MD5

              94db4d897ca54289c945a06574084128

              SHA1

              d4168950c994dacea1402a9570a4735350b86c10

              SHA256

              a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461

              SHA512

              2548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperInto.exe.log
              Filesize

              1KB

              MD5

              655010c15ea0ca05a6e5ddcd84986b98

              SHA1

              120bf7e516aeed462c07625fbfcdab5124ad05d3

              SHA256

              2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

              SHA512

              e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              6d3e9c29fe44e90aae6ed30ccf799ca8

              SHA1

              c7974ef72264bbdf13a2793ccf1aed11bc565dce

              SHA256

              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

              SHA512

              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AYr16Ny9Ob.bat
              Filesize

              190B

              MD5

              cd0d7f05dce03222d0b878eae6917cb3

              SHA1

              2f6b0857a046943117487e246c5f08adf6f99c0b

              SHA256

              4299afc41bf907d4a88a3d9290e7cf55f36d0caae186d04506c8542702c3c008

              SHA512

              14e1672283b6e3e9486ee7937a9ff8059d36b2d261161bdc1b834bf0aa2ac9495b95a6cb8f55ab8745d17c2976fddc77bed418d305ae6e1bac876a0e2b131480

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Injector.exe
              Filesize

              3.7MB

              MD5

              323e22b442e4d4f9930c5b65f6d1028c

              SHA1

              7dadf78756dd00c68d5094a59dc7bcccf3c8346d

              SHA256

              eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00

              SHA512

              2da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
              Filesize

              227KB

              MD5

              05c183f8c0d871d6081f1ea4096805e4

              SHA1

              4a05aba815c8471fca4fcc9a789683385b0c24ca

              SHA256

              eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

              SHA512

              ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq0krujf.xbg.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a60c3c52-a9e3-4096-8e10-cc56f8031787.vbs
              Filesize

              718B

              MD5

              61a8d07d99b77c48d8cd8b99602a0af1

              SHA1

              ea1ed1aacd782b48c222763f27e6646d3b2bf409

              SHA256

              a3e40c8390e51de142247014ad5f89fa9905e924701860962a49f797c590daaa

              SHA512

              7cf3e77b11f707b25c4352a873a397044de9c1b5eb41c534aeaacf0134f1d1899e353e1f1c2ba664bdc2a3272ec43055574a67da8212fff2c31958d86a88f5ec

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dadaa136-e3ac-40dd-8af1-245f96ae5553.vbs
              Filesize

              494B

              MD5

              4ce47c216284feac84e8f6f261b3404f

              SHA1

              6ce4c0af73be905495cfc2001fefd505ec381fe9

              SHA256

              40f280230f02d952592ef13ddf5229ccaf7726011aabf5fa4bfa38d91ccd6e27

              SHA512

              3b3eb69aa91683dcadf8b8136fec9a1728113e85f267e8414cb3f323cb2407786aa04264a8b9a159c0baae793e66e6809426069b4e061470eee036e6ac300124

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\fe24c48b64af403c2d4342544ef0e95c98b7e29d4.5.32123e7caeb3aac6d55392b88d7afc9cd9697fe4bcd33
              Filesize

              684B

              MD5

              4e62391ad99c79c21b29ab981dbe83f5

              SHA1

              ec06f4494cac13c687479d9d390036c78561763a

              SHA256

              b5dae79f61871a6397ceee4f9b03b19ff34a2c817862d6a868cbab679ed77e23

              SHA512

              cb6e08766451af03f2a68f22480f95c4d98b94421c3de05f0931b2091cd9a398bd857e51174375efe8a1614f253edbd8ddd340a81fda307081c14edcd37c8d4b

              Download Submit

            • C:\Users\Admin\Downloads\RuntimeBroker.exe
              Filesize

              3.0MB

              MD5

              d594fedc07f69431de03478f0179f117

              SHA1

              5e8f1994025177f7aae72d2de103402308431fd1

              SHA256

              be8c4aed9bcc0bf76ca8db6da7839575b1faee825a6f4ee8f5cd9df6caede6be

              SHA512

              cfcad44ee019f1f485a99d493979f364ba3a2083dd4ba58dbbf511a92c66a5c46a954288c7e46cebd10b63b159b29ff40b8ff459471b05d0f1393f92e08fc6a4

              Download Submit

            • C:\Users\Admin\Downloads\RuntimeBroker.exe
              Filesize

              2.6MB

              MD5

              723e0bf9fb6f85b3078b4b233a6b2587

              SHA1

              332ba0403ccfcc78f4a1429737786704830d3ba8

              SHA256

              0d32411b8cab9a64ab82b4c12c6833de8f74c2eb58ffea6ccfc06c6e4f17596e

              SHA512

              527e3165f69d99d13ee6077917d105c0ca1a51c6ed1a00e4e09c1ef57921b4cbf1459fe8033b3a48b47befbb2033aabcd8f17ac4f049bf408b738aeea33de556

              Download Submit

            • C:\odt\TextInputHost.exe
              Filesize

              2.8MB

              MD5

              963f99c8cfebf3ddd998fa45121af4f6

              SHA1

              03659885d3586205d99ce139e270e18be1106805

              SHA256

              4707abcdba885fcbc59601187a06818e9d4163350af34d4d09497c14416f850f

              SHA512

              34c2f38a03b443eab28e7830752c29c4378b11f76deeb2123753d5692172eb7f28b8fd8e73156dd36cd6b56861f482960cb5fb18218dc01964a3d8d397c81c20

              Download Submit

            • memory/1572-143-0x000000001B860000-0x000000001B872000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1572-181-0x00007FFA2B730000-0x00007FFA2C1F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1572-142-0x00007FFA2B730000-0x00007FFA2C1F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2176-0-0x0000000000410000-0x000000000075A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2176-60-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2176-1-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2176-2-0x000000001B350000-0x000000001B360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2308-37-0x0000023E7A4A0000-0x0000023E7A4B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2308-49-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2308-35-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2308-36-0x0000023E7A4A0000-0x0000023E7A4B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3172-33-0x000001C659E10000-0x000001C659E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3172-75-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3172-31-0x000001C63F780000-0x000001C63F7C0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/3172-32-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3832-94-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-112-0x000000001C290000-0x000000001C29E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3832-86-0x0000000002C40000-0x0000000002C5C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3832-85-0x0000000002C30000-0x0000000002C38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-92-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3832-91-0x0000000002C80000-0x0000000002C88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-90-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3832-93-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-88-0x0000000002C60000-0x0000000002C68000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-96-0x0000000002E00000-0x0000000002E0A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3832-95-0x0000000002DF0000-0x0000000002E00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3832-97-0x000000001B840000-0x000000001B896000-memory.dmp

              Filesize

              344KB

              Download

            • memory/3832-98-0x000000001B890000-0x000000001B89C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-100-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-101-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-102-0x000000001BFF0000-0x000000001C002000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3832-99-0x000000001B8A0000-0x000000001B8A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-103-0x000000001C550000-0x000000001CA78000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3832-104-0x000000001C020000-0x000000001C02C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-107-0x000000001C050000-0x000000001C05C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-106-0x000000001C040000-0x000000001C048000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-105-0x000000001C030000-0x000000001C03C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-108-0x000000001C060000-0x000000001C06C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-109-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-110-0x000000001C270000-0x000000001C27C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-87-0x000000001B7F0000-0x000000001B840000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3832-111-0x000000001C280000-0x000000001C28A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3832-113-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-114-0x000000001C2B0000-0x000000001C2BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3832-118-0x000000001C400000-0x000000001C40A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3832-117-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-116-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-115-0x000000001C2C0000-0x000000001C2C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3832-119-0x000000001C300000-0x000000001C30C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3832-89-0x0000000002C70000-0x0000000002C80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3832-139-0x00007FFA2B9F0000-0x00007FFA2C4B1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3832-84-0x00000000012E0000-0x00000000012EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3832-83-0x00000000012D0000-0x00000000012DE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3832-82-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3832-80-0x00000000006A0000-0x0000000000A0A000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/3832-81-0x00007FFA2B9F0000-0x00007FFA2C4B1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3880-180-0x00007FFA2B730000-0x00007FFA2C1F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3880-182-0x000000001CBD0000-0x000000001CBE2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3880-192-0x00000000208F0000-0x0000000020AB2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/5096-18-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5096-15-0x000001CCEC860000-0x000001CCEC882000-memory.dmp

              Filesize

              136KB

              Download

            • memory/5096-9-0x000001CCEBDC0000-0x000001CCEBDD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5096-10-0x000001CCEBDC0000-0x000001CCEBDD0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5096-3-0x00007FFA2BAA0000-0x00007FFA2C561000-memory.dmp

              Filesize

              10.8MB

              Download