dcrat | 76a54ee4f1e1db1cf0f31c2a49c986c0ec18bce4e5c6260c3ace4553be58539f

General

Target

ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
Size

1.7MB
MD5

ad6ef12cf7a949c7c81031cf356e7ba0
SHA1

749214f44093844f23cae9745564181fe8f76e48
SHA256

76a54ee4f1e1db1cf0f31c2a49c986c0ec18bce4e5c6260c3ace4553be58539f
SHA512

cf596585f323525947bc171cb086fc8f3c5378f757d3898fff85a513f8a7befa5c2516827cc7835263b3898b3cfc3789a0dfb5e8b1a5c6cfb3fb1f5ec9a1d437
SSDEEP

24576:X2G/nvxW3WL3pNa6DARahVL3Ly+kl7FOONSUzzX+DkChIxy6e97mUPlxtKeG:XbA3ipNa8ARAxHe4k7g6e97mml2

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2548	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2548	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe	dcrat
behavioral1/memory/2796-13-0x0000000000DB0000-0x0000000000EE2000-memory.dmp	dcrat
behavioral1/memory/1996-61-0x0000000000BB0000-0x0000000000CE2000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

Surrogatebrowsercommon.execsrss.exe

pid process

2796 Surrogatebrowsercommon.exe
1996 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2736 cmd.exe
2736 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2736	cmd.exe
2736	cmd.exe

Drops file in Program Files directory 20 IoCs

Processes:

Surrogatebrowsercommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6203df4a6bafc7	Surrogatebrowsercommon.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\dwm.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\6cb0b6c459d5d3	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsass.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\c5b4cb5e9653cc	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\Windows Defender\it-IT\conhost.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\Windows Defender\it-IT\088424020bedd6	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\csrss.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\services.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\DVD Maker\es-ES\6cb0b6c459d5d3	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72	Surrogatebrowsercommon.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\6cb0b6c459d5d3	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\DVD Maker\es-ES\dwm.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e	Surrogatebrowsercommon.exe

Drops file in Windows directory 2 IoCs

Processes:

Surrogatebrowsercommon.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe	Surrogatebrowsercommon.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\7a0fd90576e088	Surrogatebrowsercommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
288	schtasks.exe
1460	schtasks.exe
1200	schtasks.exe
1360	schtasks.exe
2404	schtasks.exe
2388	schtasks.exe
1880	schtasks.exe
2848	schtasks.exe
588	schtasks.exe
1752	schtasks.exe
884	schtasks.exe
2464	schtasks.exe
1600	schtasks.exe
1936	schtasks.exe
2556	schtasks.exe
576	schtasks.exe
1644	schtasks.exe
1908	schtasks.exe
2220	schtasks.exe
760	schtasks.exe
1960	schtasks.exe
2392	schtasks.exe
656	schtasks.exe
1816	schtasks.exe
1040	schtasks.exe
2976	schtasks.exe
808	schtasks.exe
2504	schtasks.exe
1784	schtasks.exe
2356	schtasks.exe
3004	schtasks.exe
2940	schtasks.exe
2772	schtasks.exe
1576	schtasks.exe
2104	schtasks.exe
608	schtasks.exe
908	schtasks.exe
2612	schtasks.exe
324	schtasks.exe
1828	schtasks.exe
2040	schtasks.exe
1592	schtasks.exe
2364	schtasks.exe
1552	schtasks.exe
1076	schtasks.exe
2288	schtasks.exe
2812	schtasks.exe
484	schtasks.exe
2792	schtasks.exe
1468	schtasks.exe
1428	schtasks.exe
2052	schtasks.exe
948	schtasks.exe
2236	schtasks.exe
2904	schtasks.exe
1876	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Surrogatebrowsercommon.execsrss.exe

pid	process
2796	Surrogatebrowsercommon.exe
2796	Surrogatebrowsercommon.exe
2796	Surrogatebrowsercommon.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe
1996	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

1996 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Surrogatebrowsercommon.execsrss.exe

description pid process

Token: SeDebugPrivilege 2796 Surrogatebrowsercommon.exe
Token: SeDebugPrivilege 1996 csrss.exe

pid	process
1996	csrss.exe

description	pid	process
Token: SeDebugPrivilege	2796	Surrogatebrowsercommon.exe
Token: SeDebugPrivilege	1996	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exeWScript.execmd.exeSurrogatebrowsercommon.exe

description	pid	process	target process
PID 1712 wrote to memory of 1148	1712	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 1712 wrote to memory of 1148	1712	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 1712 wrote to memory of 1148	1712	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 1712 wrote to memory of 1148	1712	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 1148 wrote to memory of 2736	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 2736	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 2736	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 2736	1148	WScript.exe	cmd.exe
PID 2736 wrote to memory of 2796	2736	cmd.exe	Surrogatebrowsercommon.exe
PID 2736 wrote to memory of 2796	2736	cmd.exe	Surrogatebrowsercommon.exe
PID 2736 wrote to memory of 2796	2736	cmd.exe	Surrogatebrowsercommon.exe
PID 2736 wrote to memory of 2796	2736	cmd.exe	Surrogatebrowsercommon.exe
PID 2796 wrote to memory of 1996	2796	Surrogatebrowsercommon.exe	csrss.exe
PID 2796 wrote to memory of 1996	2796	Surrogatebrowsercommon.exe	csrss.exe
PID 2796 wrote to memory of 1996	2796	Surrogatebrowsercommon.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsproviderbrowserWinsaves\VryQRplJMzsaH3y.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MsproviderbrowserWinsaves\RiZf3vztvgEONjpLmWUxXjcW5RE.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736

C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe
"C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Program Files (x86)\Microsoft.NET\csrss.exe
"C:\Program Files (x86)\Microsoft.NET\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsproviderbrowserWinsaves\RiZf3vztvgEONjpLmWUxXjcW5RE.bat
Filesize
57B

MD5
05b28af400b64005b9c11137d62947f9

SHA1
e6fa4a6992de2fbd18881ccb51d2c8d4e5194e24

SHA256
d012c9842afe9c529e3de253b7e9e6794fea7ebac1c43058885892d907d4cd43

SHA512
74f82ba15f23881f05a752ece48f6e7b5f7723ad0a270c9b14e1adefb650605d10f9039979cf47190b731d0bb24c7a4b815964b066263cee695c3b62b336452b

Download Submit
C:\MsproviderbrowserWinsaves\VryQRplJMzsaH3y.vbe
Filesize
229B

MD5
2dc9d82d3023616c78492a10ea81aaa5

SHA1
58b34007cd5850dc1c4829fea011fb2b3648d3f7

SHA256
55cc74634296b7692eb7ae2df4f0e760a61d803ade7bddd66fa5c035821d0cd9

SHA512
e08160d0c653184f250c95ad5ba6d04040b545a3e92131bf73dc52c5eb4a20d92624f1a6ce2c38a91088502ced75fef67fdc5c62800b2ff5b5b5e6002601ce14

Download Submit
\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe
Filesize
1.2MB

MD5
a75639b5e75feaf62b23e393afa8304b

SHA1
c62b0f325d84333f9a00ced7b22edb201953163b

SHA256
31c7ae9bf5e9886f8a24ae125fa48b08894eac62fc1e833f4e7f1fd5cc7bfb22

SHA512
2eaa91bff70326fcb7fc28e9132aa710fb067a6a24c5665971c990bb7ec8d59b0bf78d59330e94c1f4f3713e6bef936515e4141f435988cf4c54c550f70de208

Download Submit
memory/1996-61-0x0000000000BB0000-0x0000000000CE2000-memory.dmp

Filesize
1.2MB

Download
memory/2796-13-0x0000000000DB0000-0x0000000000EE2000-memory.dmp

Filesize
1.2MB

Download
memory/2796-14-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2796-15-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2796-16-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads