Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

36b4c1632f...20.exe

windows7-x64

10

36b4c1632f...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe

  • Size

    3.4MB

  • MD5

    1b57989c5c9ef0b64db6fbc2c88b346b

  • SHA1

    75818e0eedd98f90c338edbc2ad6882f6a11fb06

  • SHA256

    36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20

  • SHA512

    269cc8c6918a00a1df3e932ca3c7aec08913dfe2d545bc7bdcb9ced00b1038ada214ed167619b96a38a0c865889c0a590d3b8be1aaaa3c036db3ba0c9d65be7a

  • SSDEEP

    49152:h7/RbqaJqrkG24yhaf1hD3uR4S1o+NO6QolF2YpwCgOGE2/xB/r/4ri:F1t5Qa4YowtJwCHG5xBj/4

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 56 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Detects executables packed with SmartAssembly 9 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
    "C:\Users\Admin\AppData\Local\Temp\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:432
    • C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
      "C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4380
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feb39b76-81a7-4f70-a897-2c94470ed257.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
          C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3624
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\717e380e-41b6-4b50-afad-1a2dfbe9c93a.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
              C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2220
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0b2fda8-eaef-4c9a-9769-f187db347b1a.vbs"
                7⤵
                  PID:2044
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6da322d-3551-498b-8d70-e3de05794f61.vbs"
                  7⤵
                    PID:1152
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7409e1-4fb9-4dcb-b9f4-4a36276a6382.vbs"
                5⤵
                  PID:412
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73ff563-a852-47b8-90e7-ecf63c601524.vbs"
              3⤵
                PID:972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1888
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2560
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2932
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3440
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2976
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4776
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\wininit.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4472
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4448
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1664
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1948
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 8 /tr "'C:\Users\Default\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:232
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20" /sc ONLOGON /tr "'C:\Users\Default\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 14 /tr "'C:\Users\Default\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c203" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2120
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4604
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:680

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe
            Filesize

            3.4MB

            MD5

            1b57989c5c9ef0b64db6fbc2c88b346b

            SHA1

            75818e0eedd98f90c338edbc2ad6882f6a11fb06

            SHA256

            36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20

            SHA512

            269cc8c6918a00a1df3e932ca3c7aec08913dfe2d545bc7bdcb9ced00b1038ada214ed167619b96a38a0c865889c0a590d3b8be1aaaa3c036db3ba0c9d65be7a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20.exe.log
            Filesize

            1KB

            MD5

            655010c15ea0ca05a6e5ddcd84986b98

            SHA1

            120bf7e516aeed462c07625fbfcdab5124ad05d3

            SHA256

            2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

            SHA512

            e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\717e380e-41b6-4b50-afad-1a2dfbe9c93a.vbs
            Filesize

            766B

            MD5

            61edeeb9ad341f0b3bff94b459723923

            SHA1

            d25e0c83fc7d53894d58b9320077657c63b61383

            SHA256

            127833b018b2a0fc01047995624c3c61ebc7944b85a468026f8efd23b65b3181

            SHA512

            303970c78785550975161e049e0968c1f0fce3c49d8362c20b77c834b3c8031eaf1d5ad3952104c2ad5466b7bebbcce52a0e3c169a12b0b03869de7736477642

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e73ff563-a852-47b8-90e7-ecf63c601524.vbs
            Filesize

            542B

            MD5

            29aba3b55f6629a2d500c21f65c89e05

            SHA1

            0714fe59c724c156b3e024ffc02745035e4303c6

            SHA256

            52063e9367ad145b932e7dfc398c66b6794b97f1d5a7fd388194035bdb6c998e

            SHA512

            5cdc0ee6f5db00741c1afcc9b9450a9349dd5f38857dbe9f2eb8dc82ba5fe1f21f57c0ca75cce61e6d53050b026e0145f84eb4717c7044bb764fc4c469292482

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f0b2fda8-eaef-4c9a-9769-f187db347b1a.vbs
            Filesize

            766B

            MD5

            76a0cc381ce2aea96879439c46b21ab2

            SHA1

            cf212aee32ad0c187faea915ba4f0014dbc574f5

            SHA256

            0f6bcb4eb1a678e9d2f987fdc45d6385f8ad875a0b17da00d4b2e84580b46a10

            SHA512

            6587890e5b700dab4c354eba2a55801e831de24dc6243a5f58a2777f7e8446a7d07d413654d3f4c6be5b55b51bfc7827d9a1f9b226b06a43afb6fa6e8bde21a7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\feb39b76-81a7-4f70-a897-2c94470ed257.vbs
            Filesize

            766B

            MD5

            e325c9b7b0c023c258105f27a1093990

            SHA1

            4f8daa67ca45eef76293f534759572efb08e9ef1

            SHA256

            f069d71cd63de8edf8b87144ddcd665cf6839f5ed6e1fc8d38e9269a3866b9d5

            SHA512

            6cc3fb8bd0392dcf39c0527c9bac6a00b183817f4baf492dc36fc7d9145ffa6179a7eefc74a128954e6bf80b2f7fb25928726f1eb0d592bb3e8f49513e47da88

            Download Submit

          • memory/432-19-0x000000001C550000-0x000000001C558000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-22-0x000000001C570000-0x000000001C582000-memory.dmp

            Filesize

            72KB

            Download

          • memory/432-3-0x000000001BB00000-0x000000001BB0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/432-4-0x000000001BCB0000-0x000000001BCBE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/432-5-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-6-0x000000001BCD0000-0x000000001BCEC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/432-7-0x000000001C350000-0x000000001C3A0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/432-9-0x000000001C310000-0x000000001C320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/432-8-0x000000001C300000-0x000000001C308000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-10-0x000000001C320000-0x000000001C336000-memory.dmp

            Filesize

            88KB

            Download

          • memory/432-11-0x000000001C340000-0x000000001C348000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-12-0x000000001C4C0000-0x000000001C4D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/432-13-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-14-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-15-0x000000001C4D0000-0x000000001C4E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/432-16-0x000000001C4E0000-0x000000001C4EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/432-17-0x000000001C4F0000-0x000000001C546000-memory.dmp

            Filesize

            344KB

            Download

          • memory/432-18-0x000000001C540000-0x000000001C54C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-1-0x0000000000D30000-0x000000000109A000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/432-20-0x000000001C660000-0x000000001C66C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-21-0x000000001C560000-0x000000001C568000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-2-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/432-23-0x000000001CBA0000-0x000000001D0C8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/432-24-0x000000001C5A0000-0x000000001C5AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-25-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-26-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-27-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-28-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-29-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-30-0x000000001C600000-0x000000001C60C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-31-0x000000001C610000-0x000000001C61A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/432-32-0x000000001C620000-0x000000001C62E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/432-34-0x000000001C640000-0x000000001C64E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/432-33-0x000000001C630000-0x000000001C638000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-35-0x000000001C650000-0x000000001C658000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-36-0x000000001C870000-0x000000001C87C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-37-0x000000001C880000-0x000000001C888000-memory.dmp

            Filesize

            32KB

            Download

          • memory/432-38-0x000000001C990000-0x000000001C99A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/432-39-0x000000001C890000-0x000000001C89C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/432-89-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/432-0-0x00007FFA53DD3000-0x00007FFA53DD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2220-113-0x000000001B910000-0x000000001B922000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2220-112-0x0000000003030000-0x0000000003042000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4380-90-0x000000001BE90000-0x000000001BEA2000-memory.dmp

            Filesize

            72KB

            Download