Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 04:11
Behavioral task
behavioral1
Sample
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
950cc10960e45f6ca5de7fc895d0ca20
-
SHA1
86142fec987343c924e41ce017ea54f273e957e3
-
SHA256
0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
-
SHA512
365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 21 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1244 schtasks.exe 2408 schtasks.exe 1784 schtasks.exe 2636 schtasks.exe 2432 schtasks.exe 2276 schtasks.exe 2496 schtasks.exe 2896 schtasks.exe 2760 schtasks.exe 352 schtasks.exe 1540 schtasks.exe 2664 schtasks.exe 2468 schtasks.exe 2488 schtasks.exe 1520 schtasks.exe 2752 schtasks.exe 2112 schtasks.exe 2500 schtasks.exe 2584 schtasks.exe 2520 schtasks.exe 1844 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 7 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\MSBuild\\sppsvc.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\MSBuild\\sppsvc.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 1016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 1016 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1700-1-0x00000000013E0000-0x00000000015EC000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe dcrat C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe dcrat behavioral1/memory/1640-113-0x0000000000B00000-0x0000000000D0C000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
sppsvc.exepid process 1640 sppsvc.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\sppsvc.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\taskhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\taskhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\sppsvc.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Drops file in Program Files directory 5 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\MSBuild\RCX29F9.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\sppsvc.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files\MSBuild\sppsvc.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files\MSBuild\0a1fd5f707cd16 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\RCX29F8.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2584 schtasks.exe 1244 schtasks.exe 2112 schtasks.exe 1784 schtasks.exe 2896 schtasks.exe 2760 schtasks.exe 352 schtasks.exe 1540 schtasks.exe 2636 schtasks.exe 2664 schtasks.exe 2520 schtasks.exe 2432 schtasks.exe 1520 schtasks.exe 2496 schtasks.exe 2408 schtasks.exe 2500 schtasks.exe 1844 schtasks.exe 2468 schtasks.exe 2752 schtasks.exe 2488 schtasks.exe 2276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exesppsvc.exepid process 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 1640 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exesppsvc.exedescription pid process Token: SeDebugPrivilege 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Token: SeDebugPrivilege 1640 sppsvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription pid process target process PID 1700 wrote to memory of 1640 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe sppsvc.exe PID 1700 wrote to memory of 1640 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe sppsvc.exe PID 1700 wrote to memory of 1640 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe sppsvc.exe PID 1700 wrote to memory of 1640 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe sppsvc.exe PID 1700 wrote to memory of 1640 1700 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files\MSBuild\sppsvc.exe"C:\Program Files\MSBuild\sppsvc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5022c41189d20c106d944f8443b0c3af0
SHA1398c7125b5fe3c4fe797f60b110e09b80f7f400e
SHA2562041e5eb4dea7d80ac46456c14409b8928705527b34a631db0da47e94ad80b96
SHA5124678aca97fa9b9cf59ad64ae55ad6d6a1c967a0f9179ac07f1a73e1292cd47ed6a4078619a0217419087826cf6cc476c9d48f459054b2ac3b67ada2b139d62df
-
Filesize
2.0MB
MD5950cc10960e45f6ca5de7fc895d0ca20
SHA186142fec987343c924e41ce017ea54f273e957e3
SHA2560fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
SHA512365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842