dcrat | 4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b8b335babae9d4a73824efe54aa2148.exe
Size

1.2MB
MD5

3b8b335babae9d4a73824efe54aa2148
SHA1

ebb36ea7e8702f50272952071c18f362b0888003
SHA256

4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354
SHA512

d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e
SSDEEP

24576:NR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:TJaDKf4p4UD1v

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3700	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	3700	schtasks.exe	87

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1496-0-0x0000000000340000-0x000000000047A000-memory.dmp	dcrat
behavioral2/files/0x0007000000023403-30.dat	dcrat
behavioral2/files/0x0009000000023411-89.dat	dcrat
behavioral2/memory/4824-147-0x0000000000510000-0x000000000064A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	3b8b335babae9d4a73824efe54aa2148.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	smss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b8b335babae9d4a73824efe54aa2148.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX6022.tmp	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\unsecapp.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files\Google\Chrome\csrss.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files\Google\Chrome\886983d96e3d3e	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6236.tmp	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX65D1.tmp	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Program Files\Google\Chrome\csrss.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files (x86)\Windows Mail\unsecapp.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files (x86)\Windows Mail\29c1c3cc0f7685	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	3b8b335babae9d4a73824efe54aa2148.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Offline Web Pages\TextInputHost.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\Setup\State\5b884080fd4f94	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\27d1bcfc3c54e0	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\Offline Web Pages\TextInputHost.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\Offline Web Pages\22eafd247d37c3	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Windows\Setup\State\RCX67E6.tmp	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\System.exe	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX6E22.tmp	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\Setup\State\fontdrvhost.exe	3b8b335babae9d4a73824efe54aa2148.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\System.exe	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Windows\Setup\State\fontdrvhost.exe	3b8b335babae9d4a73824efe54aa2148.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\RCX6C0E.tmp	3b8b335babae9d4a73824efe54aa2148.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe
4328	schtasks.exe
1976	schtasks.exe
3528	schtasks.exe
3416	schtasks.exe
4956	schtasks.exe
664	schtasks.exe
4288	schtasks.exe
3356	schtasks.exe
2544	schtasks.exe
1804	schtasks.exe
4948	schtasks.exe
752	schtasks.exe
972	schtasks.exe
3036	schtasks.exe
1208	schtasks.exe
1372	schtasks.exe
3960	schtasks.exe
1332	schtasks.exe
952	schtasks.exe
1204	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3b8b335babae9d4a73824efe54aa2148.exe
Key created	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
1496	3b8b335babae9d4a73824efe54aa2148.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe
4824	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4824	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	3b8b335babae9d4a73824efe54aa2148.exe
Token: SeDebugPrivilege	4824	smss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4824	1496	3b8b335babae9d4a73824efe54aa2148.exe	111
PID 1496 wrote to memory of 4824	1496	3b8b335babae9d4a73824efe54aa2148.exe	111
PID 4824 wrote to memory of 4280	4824	smss.exe	112
PID 4824 wrote to memory of 4280	4824	smss.exe	112
PID 4824 wrote to memory of 4772	4824	smss.exe	113
PID 4824 wrote to memory of 4772	4824	smss.exe	113

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b8b335babae9d4a73824efe54aa2148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b8b335babae9d4a73824efe54aa2148.exe
"C:\Users\Admin\AppData\Local\Temp\3b8b335babae9d4a73824efe54aa2148.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1496
- C:\Program Files (x86)\Windows Portable Devices\smss.exe
  "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a4e963a-3f93-49ac-809d-4e6d7e38d69c.vbs"
    3⤵
    PID:4280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0524235-8b7e-4aed-9c48-7365123d9966.vbs"
    3⤵
    PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\smss.exe

Filesize
1.2MB

MD5
0abd77b779f4d2642ab6ccb8e716146d

SHA1
c00b280a45a9c167ca9c5b7e48e250d0c2bcbe97

SHA256
726efa67f15cda9caf80364c9bd73d36395d802e75d37b7f185ba1a0fa403d11

SHA512
7fb59d1dd9e013f0ba7b0485f9efaaeeb150a55235357458716141e2ed1ec13e12b9af8560cb98df13b61b7ce436807ca3ba7e8f0f64697cea80f565ed8476a8

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.2MB

MD5
3b8b335babae9d4a73824efe54aa2148

SHA1
ebb36ea7e8702f50272952071c18f362b0888003

SHA256
4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

SHA512
d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a4e963a-3f93-49ac-809d-4e6d7e38d69c.vbs

Filesize
732B

MD5
379240fdb9b7d46020ad7bbbedf1019f

SHA1
08db49341f52d0c3f3ca869cbf55a1bacbd3525b

SHA256
8ed5d241b95e8b2d637b649c927238abb95ab78d36d4da28c9ed6927f8949ec9

SHA512
f0f6842a3456926bf3ba0ca5435816ebfd629b6b0781a1b24b9ed006db61c64cc02d063a7bd4aefb71ebf81be923844ab59bc5e5098ae73f75624e3dc740ac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0524235-8b7e-4aed-9c48-7365123d9966.vbs

Filesize
508B

MD5
dadd8d731b2b3572e2a1e71287a95c94

SHA1
a7d23c498bf076e44c1f0ec5ae2f4c2f44edbbf4

SHA256
999fb63a1332d18dffc4004a548cef453ab0fe567b19c0f066599cbd545f2443

SHA512
76fa698b67e04dcfc2b02be9f043808fd5bb017e34fa81b46ae68840393d0ef49619bf7c11e0851bfa0b4853da4c2ebea45970f1e36dc1a492651f055e97ffef

Download Submit
memory/1496-14-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/1496-17-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

Filesize
56KB

Download
memory/1496-5-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/1496-7-0x000000001AFD0000-0x000000001AFE6000-memory.dmp

Filesize
88KB

Download
memory/1496-9-0x000000001B010000-0x000000001B01A000-memory.dmp

Filesize
40KB

Download
memory/1496-8-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download
memory/1496-10-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download
memory/1496-11-0x000000001B000000-0x000000001B00C000-memory.dmp

Filesize
48KB

Download
memory/1496-13-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/1496-12-0x000000001B020000-0x000000001B028000-memory.dmp

Filesize
32KB

Download
memory/1496-0-0x0000000000340000-0x000000000047A000-memory.dmp

Filesize
1.2MB

Download
memory/1496-15-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

Filesize
32KB

Download
memory/1496-16-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

Filesize
40KB

Download
memory/1496-6-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1496-18-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/1496-19-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/1496-20-0x000000001B800000-0x000000001B80A000-memory.dmp

Filesize
40KB

Download
memory/1496-21-0x000000001B810000-0x000000001B81C000-memory.dmp

Filesize
48KB

Download
memory/1496-4-0x000000001B640000-0x000000001B690000-memory.dmp

Filesize
320KB

Download
memory/1496-3-0x0000000002600000-0x000000000261C000-memory.dmp

Filesize
112KB

Download
memory/1496-1-0x00007FFD27FB0000-0x00007FFD28A71000-memory.dmp

Filesize
10.8MB

Download
memory/1496-148-0x00007FFD27FB0000-0x00007FFD28A71000-memory.dmp

Filesize
10.8MB

Download
memory/1496-2-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4824-149-0x00007FFD27FB0000-0x00007FFD28A71000-memory.dmp

Filesize
10.8MB

Download
memory/4824-147-0x0000000000510000-0x000000000064A000-memory.dmp

Filesize
1.2MB

Download
memory/4824-159-0x00007FFD27FB0000-0x00007FFD28A71000-memory.dmp

Filesize
10.8MB

Download