Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 20:58
Behavioral task
behavioral1
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
Resource
win10v2004-20240226-en
General
-
Target
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
-
Size
3.7MB
-
MD5
3aff466445051bd93a7ea3ae519587ef
-
SHA1
516c1e9da912f6d988146fb812d88bdc7b30588a
-
SHA256
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
-
SHA512
3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
SSDEEP
49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/
Malware Config
Signatures
-
DcRat 13 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1136 schtasks.exe 3388 schtasks.exe 3484 schtasks.exe 3920 schtasks.exe 1220 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe 448 schtasks.exe 3436 schtasks.exe 4024 schtasks.exe 3332 schtasks.exe 836 schtasks.exe 4600 schtasks.exe 3220 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\", \"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhostw.exe\", \"C:\\Program Files\\Microsoft Office\\msedge.exe\", \"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\", \"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" intobroker.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2936 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2936 schtasks.exe -
Processes:
intobroker.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Processes:
resource yara_rule C:\Bridgeserverintocommon\intobroker.exe dcrat behavioral2/memory/1012-17-0x0000000000C10000-0x0000000000F78000-memory.dmp dcrat -
Detects executables packed with SmartAssembly 8 IoCs
Processes:
resource yara_rule behavioral2/memory/1012-24-0x000000001BB90000-0x000000001BBA0000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-31-0x000000001C210000-0x000000001C21A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-39-0x000000001C440000-0x000000001C44C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-42-0x000000001C470000-0x000000001C47C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-44-0x000000001C6A0000-0x000000001C6AC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-45-0x000000001C6B0000-0x000000001C6BA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-50-0x000000001C700000-0x000000001C70C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1012-52-0x000000001C820000-0x000000001C82A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
intobroker.exedllhost.exe47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation intobroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
intobroker.exedllhost.exepid process 1012 intobroker.exe 3528 dllhost.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Microsoft Office\\msedge.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Microsoft Office\\msedge.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\LanguageModels\\dllhost.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\All Users\\WaaSMedicAgent.exe\"" intobroker.exe -
Processes:
dllhost.exeintobroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 ipinfo.io 49 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Program Files\Microsoft Office\msedge.exe intobroker.exe File created C:\Program Files\Microsoft Office\61a52ddc9dd915 intobroker.exe -
Drops file in Windows directory 2 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Windows\SKB\LanguageModels\dllhost.exe intobroker.exe File created C:\Windows\SKB\LanguageModels\5940a34987c991 intobroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3332 schtasks.exe 4600 schtasks.exe 3220 schtasks.exe 3920 schtasks.exe 1136 schtasks.exe 4024 schtasks.exe 3436 schtasks.exe 448 schtasks.exe 1220 schtasks.exe 3388 schtasks.exe 836 schtasks.exe 3484 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
dllhost.exe47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exeintobroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings intobroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intobroker.exedllhost.exepid process 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 1012 intobroker.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe 3528 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 3528 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
intobroker.exedllhost.exevssvc.exedescription pid process Token: SeDebugPrivilege 1012 intobroker.exe Token: SeDebugPrivilege 3528 dllhost.exe Token: SeBackupPrivilege 832 vssvc.exe Token: SeRestorePrivilege 832 vssvc.exe Token: SeAuditPrivilege 832 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exeWScript.execmd.exeintobroker.execmd.exedllhost.exedescription pid process target process PID 4844 wrote to memory of 4712 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4844 wrote to memory of 4712 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4844 wrote to memory of 4712 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4844 wrote to memory of 2128 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4844 wrote to memory of 2128 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4844 wrote to memory of 2128 4844 47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe WScript.exe PID 4712 wrote to memory of 4112 4712 WScript.exe cmd.exe PID 4712 wrote to memory of 4112 4712 WScript.exe cmd.exe PID 4712 wrote to memory of 4112 4712 WScript.exe cmd.exe PID 4112 wrote to memory of 1012 4112 cmd.exe intobroker.exe PID 4112 wrote to memory of 1012 4112 cmd.exe intobroker.exe PID 1012 wrote to memory of 4844 1012 intobroker.exe cmd.exe PID 1012 wrote to memory of 4844 1012 intobroker.exe cmd.exe PID 4844 wrote to memory of 1076 4844 cmd.exe w32tm.exe PID 4844 wrote to memory of 1076 4844 cmd.exe w32tm.exe PID 4844 wrote to memory of 3528 4844 cmd.exe dllhost.exe PID 4844 wrote to memory of 3528 4844 cmd.exe dllhost.exe PID 3528 wrote to memory of 1956 3528 dllhost.exe WScript.exe PID 3528 wrote to memory of 1956 3528 dllhost.exe WScript.exe PID 3528 wrote to memory of 4448 3528 dllhost.exe WScript.exe PID 3528 wrote to memory of 4448 3528 dllhost.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
intobroker.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYJQVhD8a8.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1076
-
-
C:\Windows\SKB\LanguageModels\dllhost.exe"C:\Windows\SKB\LanguageModels\dllhost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3528 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73e9bcbb-0c3a-45d0-92ab-0e2bc3fbb0fc.vbs"7⤵PID:1956
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f270df3-9232-4433-be85-6919e96bea0b.vbs"7⤵PID:4448
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"2⤵PID:2128
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3320 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:3648
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
Filesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
Filesize
493B
MD5e9faf03e1737b1b4437a1534a274456e
SHA1b8c5b8061adc0e33c24dc1f9805720168cf80348
SHA2560a26607d929362016eab130f3f6abae585293a52f19697acd945e355cede51d9
SHA5126aa752954c5ac864664d76a8184cb597b7097c87777f5e33d6dd6fe0daff7d7040dd3ec3ea1ae247222094249b6f872a71693f59cd7b37d5e866f5b8ae19cd08
-
Filesize
717B
MD523407a95b742c9f1ba704c067ca8ffa4
SHA19c7d0273d80a33079ba78243c43c95ce19acdb2c
SHA2567fab4928d4f76868eacc6d6ff946e20550ab030af17448668e2762a5d6429268
SHA512497c3e3329edf9a6b7b60610e548f72acde3ef6a8d003c4c17c5773a8e5ee5b207ceaad3bd4f007855afc8f2dbdf1ecd2c448fa06767d6f8820d7eebad2ac235
-
Filesize
206B
MD532f81aea9006bea6cb1a5d126cf15787
SHA11a82649f968deb656c39aeb6e93e4a125238cc70
SHA2566be00242e62c03251c336a9c76774e6c72b23cc8e1cf72e196bd894262b4d52e
SHA512357589860ed09c49fe4df8a874a22219dad012d89fe0b775f9f6e4ccd5628b2059a11549996791e9f4789264abb770f8ec0b3fbc11435fb76f422cb826c67627