Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Resource
win7-20240221-en
General
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-
Signatures
-
DcRat 37 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2996 schtasks.exe 2892 schtasks.exe 2172 schtasks.exe 1132 schtasks.exe 1952 schtasks.exe 1072 schtasks.exe 2252 schtasks.exe 1928 schtasks.exe 3016 schtasks.exe 1880 schtasks.exe 1836 schtasks.exe 2828 schtasks.exe 1624 schtasks.exe 1608 schtasks.exe 1656 schtasks.exe 2700 schtasks.exe 2080 schtasks.exe 2292 schtasks.exe 1824 schtasks.exe 2164 schtasks.exe 1028 schtasks.exe 1904 schtasks.exe 2660 schtasks.exe 2268 schtasks.exe 1460 schtasks.exe 824 schtasks.exe 1268 schtasks.exe 3036 schtasks.exe 3052 schtasks.exe 432 schtasks.exe 640 schtasks.exe 2760 schtasks.exe 3044 schtasks.exe 2348 schtasks.exe 1492 schtasks.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 1452 schtasks.exe -
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp family_umbral behavioral1/files/0x000d000000014267-5.dat family_umbral behavioral1/memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp family_umbral -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 676 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 676 schtasks.exe 38 -
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp dcrat behavioral1/files/0x000900000001441e-9.dat dcrat behavioral1/files/0x0007000000014738-33.dat dcrat behavioral1/memory/2496-37-0x0000000000FA0000-0x00000000011EA000-memory.dmp dcrat behavioral1/memory/2856-81-0x0000000000110000-0x000000000035A000-memory.dmp dcrat -
Detects executables attemping to enumerate video devices using WMI 3 IoCs
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/files/0x000d000000014267-5.dat INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing possible sandbox analysis VM names 3 IoCs
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames behavioral1/files/0x000d000000014267-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames behavioral1/memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames -
Detects executables containing possible sandbox analysis VM usernames 3 IoCs
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/files/0x000d000000014267-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
Detects executables containing possible sandbox system UUIDs 3 IoCs
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x000000000084E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs behavioral1/files/0x000d000000014267-5.dat INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs behavioral1/memory/1972-23-0x0000000000BF0000-0x0000000000C30000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs -
Detects executables packed with SmartAssembly 3 IoCs
resource yara_rule behavioral1/memory/2496-44-0x0000000000B10000-0x0000000000B1C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2496-46-0x0000000000B30000-0x0000000000B3A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/2496-49-0x0000000000CF0000-0x0000000000CFA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
pid Process 1972 stealer.exe 1292 чекер dc.exe 2580 Inject.exe 2496 driverBrokercommon.exe 2856 explorer.exe -
Loads dropped DLL 6 IoCs
pid Process 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 2616 Process not Found 2392 cmd.exe 2392 cmd.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe driverBrokercommon.exe File created C:\Program Files\Java\jre7\bin\dtplugin\886983d96e3d3e driverBrokercommon.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe driverBrokercommon.exe File created C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe driverBrokercommon.exe File created C:\Program Files\VideoLAN\VLC\winlogon.exe driverBrokercommon.exe File created C:\Program Files\VideoLAN\VLC\cc11b995f2a76d driverBrokercommon.exe File created C:\Program Files\Windows Portable Devices\spoolsv.exe driverBrokercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe driverBrokercommon.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe driverBrokercommon.exe File created C:\Program Files (x86)\Windows Defender\es-ES\b75386f1303e64 driverBrokercommon.exe File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24 driverBrokercommon.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\1cdec3972599ff driverBrokercommon.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\088424020bedd6 driverBrokercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2348 schtasks.exe 1132 schtasks.exe 2252 schtasks.exe 1268 schtasks.exe 1460 schtasks.exe 3044 schtasks.exe 1952 schtasks.exe 1624 schtasks.exe 1028 schtasks.exe 1836 schtasks.exe 3036 schtasks.exe 2172 schtasks.exe 3016 schtasks.exe 1904 schtasks.exe 2292 schtasks.exe 1072 schtasks.exe 1608 schtasks.exe 2760 schtasks.exe 640 schtasks.exe 2828 schtasks.exe 2660 schtasks.exe 2892 schtasks.exe 2700 schtasks.exe 1928 schtasks.exe 1492 schtasks.exe 824 schtasks.exe 1880 schtasks.exe 2164 schtasks.exe 2080 schtasks.exe 2268 schtasks.exe 3052 schtasks.exe 1824 schtasks.exe 1452 schtasks.exe 2996 schtasks.exe 432 schtasks.exe 1656 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2708 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2496 driverBrokercommon.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2856 explorer.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1972 stealer.exe Token: SeIncreaseQuotaPrivilege 2788 wmic.exe Token: SeSecurityPrivilege 2788 wmic.exe Token: SeTakeOwnershipPrivilege 2788 wmic.exe Token: SeLoadDriverPrivilege 2788 wmic.exe Token: SeSystemProfilePrivilege 2788 wmic.exe Token: SeSystemtimePrivilege 2788 wmic.exe Token: SeProfSingleProcessPrivilege 2788 wmic.exe Token: SeIncBasePriorityPrivilege 2788 wmic.exe Token: SeCreatePagefilePrivilege 2788 wmic.exe Token: SeBackupPrivilege 2788 wmic.exe Token: SeRestorePrivilege 2788 wmic.exe Token: SeShutdownPrivilege 2788 wmic.exe Token: SeDebugPrivilege 2788 wmic.exe Token: SeSystemEnvironmentPrivilege 2788 wmic.exe Token: SeRemoteShutdownPrivilege 2788 wmic.exe Token: SeUndockPrivilege 2788 wmic.exe Token: SeManageVolumePrivilege 2788 wmic.exe Token: 33 2788 wmic.exe Token: 34 2788 wmic.exe Token: 35 2788 wmic.exe Token: SeIncreaseQuotaPrivilege 2788 wmic.exe Token: SeSecurityPrivilege 2788 wmic.exe Token: SeTakeOwnershipPrivilege 2788 wmic.exe Token: SeLoadDriverPrivilege 2788 wmic.exe Token: SeSystemProfilePrivilege 2788 wmic.exe Token: SeSystemtimePrivilege 2788 wmic.exe Token: SeProfSingleProcessPrivilege 2788 wmic.exe Token: SeIncBasePriorityPrivilege 2788 wmic.exe Token: SeCreatePagefilePrivilege 2788 wmic.exe Token: SeBackupPrivilege 2788 wmic.exe Token: SeRestorePrivilege 2788 wmic.exe Token: SeShutdownPrivilege 2788 wmic.exe Token: SeDebugPrivilege 2788 wmic.exe Token: SeSystemEnvironmentPrivilege 2788 wmic.exe Token: SeRemoteShutdownPrivilege 2788 wmic.exe Token: SeUndockPrivilege 2788 wmic.exe Token: SeManageVolumePrivilege 2788 wmic.exe Token: 33 2788 wmic.exe Token: 34 2788 wmic.exe Token: 35 2788 wmic.exe Token: SeDebugPrivilege 2496 driverBrokercommon.exe Token: SeDebugPrivilege 2856 explorer.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1196 wrote to memory of 1972 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 1196 wrote to memory of 1972 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 1196 wrote to memory of 1972 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 1196 wrote to memory of 1972 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 1196 wrote to memory of 1292 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 1196 wrote to memory of 1292 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 1196 wrote to memory of 1292 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 1196 wrote to memory of 1292 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 1196 wrote to memory of 2580 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 1196 wrote to memory of 2580 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 1196 wrote to memory of 2580 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 1196 wrote to memory of 2580 1196 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 1292 wrote to memory of 2624 1292 чекер dc.exe 32 PID 1292 wrote to memory of 2624 1292 чекер dc.exe 32 PID 1292 wrote to memory of 2624 1292 чекер dc.exe 32 PID 1292 wrote to memory of 2624 1292 чекер dc.exe 32 PID 2624 wrote to memory of 2392 2624 WScript.exe 33 PID 2624 wrote to memory of 2392 2624 WScript.exe 33 PID 2624 wrote to memory of 2392 2624 WScript.exe 33 PID 2624 wrote to memory of 2392 2624 WScript.exe 33 PID 2392 wrote to memory of 2496 2392 cmd.exe 35 PID 2392 wrote to memory of 2496 2392 cmd.exe 35 PID 2392 wrote to memory of 2496 2392 cmd.exe 35 PID 2392 wrote to memory of 2496 2392 cmd.exe 35 PID 1972 wrote to memory of 2788 1972 stealer.exe 36 PID 1972 wrote to memory of 2788 1972 stealer.exe 36 PID 1972 wrote to memory of 2788 1972 stealer.exe 36 PID 2496 wrote to memory of 2856 2496 driverBrokercommon.exe 75 PID 2496 wrote to memory of 2856 2496 driverBrokercommon.exe 75 PID 2496 wrote to memory of 2856 2496 driverBrokercommon.exe 75 PID 2392 wrote to memory of 2708 2392 cmd.exe 76 PID 2392 wrote to memory of 2708 2392 cmd.exe 76 PID 2392 wrote to memory of 2708 2392 cmd.exe 76 PID 2392 wrote to memory of 2708 2392 cmd.exe 76 PID 2856 wrote to memory of 656 2856 explorer.exe 77 PID 2856 wrote to memory of 656 2856 explorer.exe 77 PID 2856 wrote to memory of 656 2856 explorer.exe 77 PID 2856 wrote to memory of 2532 2856 explorer.exe 78 PID 2856 wrote to memory of 2532 2856 explorer.exe 78 PID 2856 wrote to memory of 2532 2856 explorer.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\MsWinsessiondllNet\driverBrokercommon.exe"C:\MsWinsessiondllNet\driverBrokercommon.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\MsWinsessiondllNet\explorer.exe"C:\MsWinsessiondllNet\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f61fe1-f4ea-4e43-982a-81d8c7d765cf.vbs"7⤵PID:656
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83ff8856-3281-4735-8c80-bef461d8bc8e.vbs"7⤵PID:2532
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Inject.exe"C:\Users\Admin\AppData\Local\Temp\Inject.exe"2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\driverBrokercommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA2561947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA5121fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86
-
Filesize
218B
MD57c9bb5fda146efee5ee4a243d6e404b0
SHA1c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA2561d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771
-
Filesize
486B
MD513a60c705384ced3f71c16323fd90022
SHA1ddc013ecdfa068a7a9e9c46747029a1aa9667513
SHA2567823c4cd2031175fa3093a75893d974d10b28b15860273fea53c05963fdaaec7
SHA512da79d498723accfa5e3108ba5e6978b1c5147af42d46bcaa87a7221a82f8d08d1879ee04e68a0bc932578b8367da3744a7c999783e0afa2141500aaad036a340
-
Filesize
710B
MD5d3d0f39989e83f2a886def2bdd397268
SHA16e4cc004e2574625ce68dee4e0963c2fd7c19083
SHA256c9aa5f2c32c9bd4893e16d813f1537a18003ff888e9e9696e63c01ff7cb90f26
SHA5128496a2f2384cf04a79c9d6d0e89ba234d8a50f5dbffc8b64fec15dea10b458d52e696cbc2a8c6833db66f99997d3a28afbc3836728707f3135ffb8435e77ac18
-
Filesize
229KB
MD58cc1e7cf94fec9bc505ce7411aa28861
SHA108703de84f3db427c368f16c873664d78bd83264
SHA256cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423
-
Filesize
2.3MB
MD5d84e590c3715c79dc5b92c435957d162
SHA12901580903e4b356448d9fe7bea510261e655363
SHA256d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485
-
Filesize
75KB
MD5d428ddd1b0ce85a6c96765aeaf246320
SHA1d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA5123f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899
-
Filesize
2.6MB
MD56216b6bef94c09a40bfa263809b1ae56
SHA1a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA5120e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215