dcrat | de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-04-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neverlose.cc Crack.exe
Size

4.6MB
MD5

cb2be30171f2abcd864d4afbce7cbf4a
SHA1

9b9328b84ca32f6026430b98390e718d971c82ed
SHA256

de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
SHA512

935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
SSDEEP

98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

intobroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\""	intobroker.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4364	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exeintobroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	intobroker.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\explorer.exe	dcrat
C:\Bridgeserverintocommon\intobroker.exe	dcrat
behavioral2/memory/4340-34-0x0000000000470000-0x00000000007D8000-memory.dmp	dcrat

Executes dropped EXE 14 IoCs

Processes:

explorer.exeAimStar.exeintobroker.exesppsvc.exesppsvc.exeSystem.exesppsvc.exeSearchUI.exeSystem.exesppsvc.exesppsvc.exeSystem.exeSearchUI.exesppsvc.exe

pid	process
2656	explorer.exe
4728	AimStar.exe
4340	intobroker.exe
1224	sppsvc.exe
288	sppsvc.exe
4456	System.exe
700	sppsvc.exe
264	SearchUI.exe
1848	System.exe
2212	sppsvc.exe
2564	sppsvc.exe
2208	System.exe
1924	SearchUI.exe
1092	sppsvc.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

intobroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\""	intobroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Program Files\\Internet Explorer\\uk-UA\\SearchUI.exe\""	intobroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Common Files\\System\\msadc\\ja-JP\\System.exe\""	intobroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	intobroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	intobroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\sppsvc.exe\""	intobroker.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

intobroker.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	intobroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 7 IoCs

Processes:

intobroker.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe	intobroker.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe	intobroker.exe
File created	C:\Program Files\Internet Explorer\uk-UA\dab4d89cac03ec	intobroker.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\System.exe	intobroker.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\27d1bcfc3c54e0	intobroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\sppsvc.exe	intobroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\0a1fd5f707cd16	intobroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3532	schtasks.exe
2112	schtasks.exe
2540	schtasks.exe
1604	schtasks.exe
4388	schtasks.exe
3168	schtasks.exe
3636	schtasks.exe
4648	schtasks.exe
5072	schtasks.exe
308	schtasks.exe
4072	schtasks.exe
4344	schtasks.exe

Modifies registry class 3 IoCs

Processes:

explorer.exeintobroker.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	intobroker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

intobroker.exesppsvc.exe

pid	process
4340	intobroker.exe
4340	intobroker.exe
4340	intobroker.exe
4340	intobroker.exe
4340	intobroker.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe
1224	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

1224 sppsvc.exe

pid	process
1224	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

intobroker.exesppsvc.exevssvc.exesppsvc.exeSystem.exesppsvc.exeSearchUI.exeSystem.exesppsvc.exesppsvc.exeSystem.exeSearchUI.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	4340	intobroker.exe
Token: SeDebugPrivilege	1224	sppsvc.exe
Token: SeBackupPrivilege	4376	vssvc.exe
Token: SeRestorePrivilege	4376	vssvc.exe
Token: SeAuditPrivilege	4376	vssvc.exe
Token: SeDebugPrivilege	288	sppsvc.exe
Token: SeDebugPrivilege	4456	System.exe
Token: SeDebugPrivilege	700	sppsvc.exe
Token: SeDebugPrivilege	264	SearchUI.exe
Token: SeDebugPrivilege	1848	System.exe
Token: SeDebugPrivilege	2212	sppsvc.exe
Token: SeDebugPrivilege	2564	sppsvc.exe
Token: SeDebugPrivilege	2208	System.exe
Token: SeDebugPrivilege	1924	SearchUI.exe
Token: SeDebugPrivilege	1092	sppsvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Neverlose.cc Crack.exeexplorer.exeWScript.execmd.exeintobroker.execmd.exesppsvc.exe

description	pid	process	target process
PID 4472 wrote to memory of 2656	4472	Neverlose.cc Crack.exe	explorer.exe
PID 4472 wrote to memory of 2656	4472	Neverlose.cc Crack.exe	explorer.exe
PID 4472 wrote to memory of 2656	4472	Neverlose.cc Crack.exe	explorer.exe
PID 4472 wrote to memory of 4728	4472	Neverlose.cc Crack.exe	AimStar.exe
PID 4472 wrote to memory of 4728	4472	Neverlose.cc Crack.exe	AimStar.exe
PID 2656 wrote to memory of 1284	2656	explorer.exe	WScript.exe
PID 2656 wrote to memory of 1284	2656	explorer.exe	WScript.exe
PID 2656 wrote to memory of 1284	2656	explorer.exe	WScript.exe
PID 2656 wrote to memory of 1244	2656	explorer.exe	WScript.exe
PID 2656 wrote to memory of 1244	2656	explorer.exe	WScript.exe
PID 2656 wrote to memory of 1244	2656	explorer.exe	WScript.exe
PID 1284 wrote to memory of 2728	1284	WScript.exe	cmd.exe
PID 1284 wrote to memory of 2728	1284	WScript.exe	cmd.exe
PID 1284 wrote to memory of 2728	1284	WScript.exe	cmd.exe
PID 2728 wrote to memory of 4340	2728	cmd.exe	intobroker.exe
PID 2728 wrote to memory of 4340	2728	cmd.exe	intobroker.exe
PID 4340 wrote to memory of 4452	4340	intobroker.exe	cmd.exe
PID 4340 wrote to memory of 4452	4340	intobroker.exe	cmd.exe
PID 4452 wrote to memory of 2624	4452	cmd.exe	w32tm.exe
PID 4452 wrote to memory of 2624	4452	cmd.exe	w32tm.exe
PID 4452 wrote to memory of 1224	4452	cmd.exe	sppsvc.exe
PID 4452 wrote to memory of 1224	4452	cmd.exe	sppsvc.exe
PID 1224 wrote to memory of 2504	1224	sppsvc.exe	WScript.exe
PID 1224 wrote to memory of 2504	1224	sppsvc.exe	WScript.exe
PID 1224 wrote to memory of 1052	1224	sppsvc.exe	WScript.exe
PID 1224 wrote to memory of 1052	1224	sppsvc.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exeintobroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	intobroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Bridgeserverintocommon\intobroker.exe
"C:\Bridgeserverintocommon\intobroker.exe"
5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2624

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e954f97-d915-49a5-bcfb-32a94bcb3a02.vbs"
8⤵
PID:2504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ab6bb90-ffc3-427c-bd23-1c05e0f2a8b6.vbs"
8⤵
PID:1052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"
3⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\AimStar.exe
"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"
2⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4488

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Program Files\Common Files\System\msadc\ja-JP\System.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe
"C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Program Files\Common Files\System\msadc\ja-JP\System.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files\Common Files\System\msadc\ja-JP\System.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe
"C:\Program Files\Internet Explorer\uk-UA\SearchUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
"C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat
Filesize
42B

MD5
9005984f23c241ae6504691edad99db9

SHA1
50ec3cca58fd37b1853bd144854fb0242019d2b9

SHA256
e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de

SHA512
183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff

Download Submit
C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe
Filesize
227B

MD5
8ad651de9eab5382f5aeb6e0a38e22bc

SHA1
c45b320fdec6e25ccacc31bdf3999a6fec82c9a0

SHA256
adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01

SHA512
6fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a

Download Submit
C:\Bridgeserverintocommon\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Bridgeserverintocommon\intobroker.exe
Filesize
3.4MB

MD5
34f09d31d624cddea4794d6b60fb342a

SHA1
21dae839ec2ac251c1d80d51e32e5b0f7c9c208f

SHA256
fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f

SHA512
e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e954f97-d915-49a5-bcfb-32a94bcb3a02.vbs
Filesize
725B

MD5
c6d1a32671a36ab4bba8879a2c246c04

SHA1
30918888446c3a6f0ad6a1ed480cbf610235c45f

SHA256
96fb212a0aed18b31af03cfe19db2de55e12410ab19857a65666d721fc130b44

SHA512
46f26f7bcd00ba87dd690c9fedc5cb9e058516337e63579cef493ef25fdd603fc0070b3a982457da56b70d95cfd007d71fe2f53c87c2568c0a92d823530c6679

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ab6bb90-ffc3-427c-bd23-1c05e0f2a8b6.vbs
Filesize
501B

MD5
4094599379beb1af19142ce90d132c66

SHA1
262b3eb6036bf7fc80378d6721bb6ea16f52fba6

SHA256
e503ebeb4229987d8c7e8b3c6f87d035000b5e2969713253b36d8ff8a049ada4

SHA512
bf755c0ffee1267d8390f57d1c4020bc842e2746875fa6e01a5cf46f22e838c8923e88fafcd24512a6114c1248fc4a10bf81d86ff9c4f22e7c4efa94c11207d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AimStar.exe
Filesize
2.2MB

MD5
61f4153bfff66366181c4102763763b6

SHA1
69e7786d66e718426321e2db61a6bafb3129b6a9

SHA256
e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199

SHA512
e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
3.7MB

MD5
3aff466445051bd93a7ea3ae519587ef

SHA1
516c1e9da912f6d988146fb812d88bdc7b30588a

SHA256
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e

SHA512
3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCQZmTZqZs.bat
Filesize
214B

MD5
9dca10f109c8894680c6d0b18c95b120

SHA1
bcacaf25328c106cc560725d439fbc52df32a12f

SHA256
62f9917b9c88aef04fe3092c1c0651e90a359597e93dcb75d6323aefff45ec9d

SHA512
2d2e004318ff16bd6a2d0bf5908c0c19da221ec5fb145b2f6abc660fb106efcd1bcb1de5beef1eda7e5f638d80e52b3a643f88adfdb822764d5dbb3fa16ea677

Download Submit
memory/1224-96-0x000000001E510000-0x000000001E6D2000-memory.dmp

Filesize
1.8MB

Download
memory/4340-51-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/4340-56-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/4340-41-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/4340-40-0x000000001B3F0000-0x000000001B3F8000-memory.dmp

Filesize
32KB

Download
memory/4340-42-0x000000001B530000-0x000000001B546000-memory.dmp

Filesize
88KB

Download
memory/4340-43-0x000000001B410000-0x000000001B41C000-memory.dmp

Filesize
48KB

Download
memory/4340-44-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/4340-45-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/4340-46-0x000000001B570000-0x000000001B578000-memory.dmp

Filesize
32KB

Download
memory/4340-47-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/4340-48-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

Filesize
40KB

Download
memory/4340-49-0x000000001BB20000-0x000000001BB76000-memory.dmp

Filesize
344KB

Download
memory/4340-50-0x000000001B5F0000-0x000000001B5FC000-memory.dmp

Filesize
48KB

Download
memory/4340-38-0x000000001B3D0000-0x000000001B3EC000-memory.dmp

Filesize
112KB

Download
memory/4340-54-0x000000001BB90000-0x000000001BBA2000-memory.dmp

Filesize
72KB

Download
memory/4340-53-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/4340-52-0x000000001BB70000-0x000000001BB7C000-memory.dmp

Filesize
48KB

Download
memory/4340-58-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/4340-57-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/4340-39-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/4340-55-0x000000001C250000-0x000000001C776000-memory.dmp

Filesize
5.1MB

Download
memory/4340-59-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/4340-61-0x000000001BC10000-0x000000001BC1C000-memory.dmp

Filesize
48KB

Download
memory/4340-60-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/4340-65-0x000000001BD50000-0x000000001BD5E000-memory.dmp

Filesize
56KB

Download
memory/4340-69-0x000000001BD90000-0x000000001BD9A000-memory.dmp

Filesize
40KB

Download
memory/4340-68-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/4340-67-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/4340-66-0x000000001BD60000-0x000000001BD68000-memory.dmp

Filesize
32KB

Download
memory/4340-64-0x000000001BD40000-0x000000001BD48000-memory.dmp

Filesize
32KB

Download
memory/4340-63-0x000000001BD30000-0x000000001BD3E000-memory.dmp

Filesize
56KB

Download
memory/4340-62-0x000000001BD20000-0x000000001BD2A000-memory.dmp

Filesize
40KB

Download
memory/4340-37-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/4340-36-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/4340-35-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/4340-34-0x0000000000470000-0x00000000007D8000-memory.dmp

Filesize
3.4MB

Download
memory/4472-0-0x00000000009D0000-0x0000000000E68000-memory.dmp

Filesize
4.6MB

Download
memory/4472-1-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/4472-2-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download
memory/4472-14-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download