Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 19:11

General

  • Target

    898A94F29EDC228CE3BD2054F3D5D6DD.exe

  • Size

    4.3MB

  • MD5

    898a94f29edc228ce3bd2054f3d5d6dd

  • SHA1

    f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5

  • SHA256

    a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

  • SHA512

    8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae

  • SSDEEP

    49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-

Signatures

  • DcRat 55 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 3 IoCs
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe
    "C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
    • C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
      "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\MsWinsessiondllNet\driverBrokercommon.exe
            "C:\MsWinsessiondllNet\driverBrokercommon.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSeckPEt0m.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2312
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1248
                • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe
                  "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1976
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ee51fa-6ca5-405c-bf99-9cf2f55fcb50.vbs"
                    8⤵
                      PID:2280
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a182fe7-568d-414b-951d-25d6244808b7.vbs"
                      8⤵
                        PID:3068
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                  5⤵
                  • Modifies registry key
                  PID:2832
          • C:\Users\Admin\AppData\Local\Temp\Inject.exe
            "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
            2⤵
            • Executes dropped EXE
            PID:2516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2356
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1152
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2244
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "InjectI" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2088
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Inject" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "InjectI" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2156
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1252
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "driverBrokercommon" /sc ONLOGON /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1604

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

          Filesize

          158B

          MD5

          ea70d7b0f1a8a1ff2d246efbdcfe1001

          SHA1

          252e762aee8fcc5761e17bb84aa3af8276852f5c

          SHA256

          1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

          SHA512

          1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

        • C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

          Filesize

          218B

          MD5

          7c9bb5fda146efee5ee4a243d6e404b0

          SHA1

          c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

          SHA256

          1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

          SHA512

          797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

        • C:\Users\Admin\AppData\Local\Temp\9a182fe7-568d-414b-951d-25d6244808b7.vbs

          Filesize

          522B

          MD5

          cf054cb4dd3a2611b771fe67b621dc7d

          SHA1

          6f3768c0436933ba418a03b2ade39cd4ffb2f1dd

          SHA256

          add2fe82610d0f7bdcfe3d6ff4dfe245f991e2f0b21a475c1377f062017a0de8

          SHA512

          8ea088f7368d414b792f3a459779a73ee51f1dd0de80552acf5b58702ca2ac1a19904f9497ba137f5293ec389c4e19dde5bc51ea75f4179f1260f733323c7ea1

        • C:\Users\Admin\AppData\Local\Temp\eSeckPEt0m.bat

          Filesize

          235B

          MD5

          c4e42cae876a05ae0c753a0a8fd32164

          SHA1

          d8cc369a8649c85f0c25f0826d447f3c62191238

          SHA256

          75daf4baae8d884fab1397f8524a6f645895de1a81e03ba5c776d7ec726abb45

          SHA512

          e569796ef385532522c271e9d7832ff9bc0920ad4b73441024ab10ace401cf41fe182ea16fc2992044c444cb325beaf156a871d0dedd14672dd9c3b95d5ce1f1

        • C:\Users\Admin\AppData\Local\Temp\f3ee51fa-6ca5-405c-bf99-9cf2f55fcb50.vbs

          Filesize

          746B

          MD5

          599938f2aed6b131cd8d747f26edb4d4

          SHA1

          62906394e606959918b273c8a6f711a85b0505ee

          SHA256

          ab1325106363bf6a296704640c8c8d4194f240ca53080e7fa3ddae1c3338d562

          SHA512

          f1d0434c1385cef8546a4dbdf38b64ec29a278c649732c0e7f178e1f8637f1864b216dda373188c10edd522e03241649ce3ccaf8ce39ae66043143ec06f1f8b1

        • \MsWinsessiondllNet\driverBrokercommon.exe

          Filesize

          2.3MB

          MD5

          d84e590c3715c79dc5b92c435957d162

          SHA1

          2901580903e4b356448d9fe7bea510261e655363

          SHA256

          d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

          SHA512

          b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

        • \Users\Admin\AppData\Local\Temp\Inject.exe

          Filesize

          75KB

          MD5

          d428ddd1b0ce85a6c96765aeaf246320

          SHA1

          d100efdaab5b2ad851fe75a28d0aa95deb920926

          SHA256

          453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

          SHA512

          3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

        • \Users\Admin\AppData\Local\Temp\stealer.exe

          Filesize

          229KB

          MD5

          8cc1e7cf94fec9bc505ce7411aa28861

          SHA1

          08703de84f3db427c368f16c873664d78bd83264

          SHA256

          cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

          SHA512

          fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

        • \Users\Admin\AppData\Local\Temp\чекер dc.exe

          Filesize

          2.6MB

          MD5

          6216b6bef94c09a40bfa263809b1ae56

          SHA1

          a928120e65199c6aaae6c991aa0466f3f8b06020

          SHA256

          eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

          SHA512

          0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

        • memory/1976-93-0x0000000001300000-0x000000000154A000-memory.dmp

          Filesize

          2.3MB

        • memory/2236-0-0x0000000000400000-0x000000000084E000-memory.dmp

          Filesize

          4.3MB

        • memory/2492-21-0x0000000000180000-0x00000000001C0000-memory.dmp

          Filesize

          256KB

        • memory/2516-19-0x000000013FE90000-0x000000013FEBA000-memory.dmp

          Filesize

          168KB

        • memory/2692-39-0x0000000000160000-0x0000000000170000-memory.dmp

          Filesize

          64KB

        • memory/2692-47-0x00000000006E0000-0x00000000006E8000-memory.dmp

          Filesize

          32KB

        • memory/2692-42-0x0000000000180000-0x000000000018C000-memory.dmp

          Filesize

          48KB

        • memory/2692-43-0x0000000000390000-0x000000000039C000-memory.dmp

          Filesize

          48KB

        • memory/2692-44-0x00000000003A0000-0x00000000003A8000-memory.dmp

          Filesize

          32KB

        • memory/2692-45-0x0000000000530000-0x000000000053A000-memory.dmp

          Filesize

          40KB

        • memory/2692-46-0x00000000005C0000-0x00000000005CE000-memory.dmp

          Filesize

          56KB

        • memory/2692-41-0x0000000000170000-0x000000000017C000-memory.dmp

          Filesize

          48KB

        • memory/2692-48-0x00000000006F0000-0x00000000006FA000-memory.dmp

          Filesize

          40KB

        • memory/2692-49-0x0000000000700000-0x000000000070C000-memory.dmp

          Filesize

          48KB

        • memory/2692-40-0x0000000000AD0000-0x0000000000B26000-memory.dmp

          Filesize

          344KB

        • memory/2692-38-0x0000000000150000-0x0000000000158000-memory.dmp

          Filesize

          32KB

        • memory/2692-37-0x0000000000140000-0x0000000000148000-memory.dmp

          Filesize

          32KB

        • memory/2692-36-0x0000000000D90000-0x0000000000FDA000-memory.dmp

          Filesize

          2.3MB