dcrat | 76a54ee4f1e1db1cf0f31c2a49c986c0ec18bce4e5c6260c3ace4553be58539f

General

Target

ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
Size

1.7MB
MD5

ad6ef12cf7a949c7c81031cf356e7ba0
SHA1

749214f44093844f23cae9745564181fe8f76e48
SHA256

76a54ee4f1e1db1cf0f31c2a49c986c0ec18bce4e5c6260c3ace4553be58539f
SHA512

cf596585f323525947bc171cb086fc8f3c5378f757d3898fff85a513f8a7befa5c2516827cc7835263b3898b3cfc3789a0dfb5e8b1a5c6cfb3fb1f5ec9a1d437
SSDEEP

24576:X2G/nvxW3WL3pNa6DARahVL3Ly+kl7FOONSUzzX+DkChIxy6e97mUPlxtKeG:XbA3ipNa8ARAxHe4k7g6e97mml2

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4120	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe	dcrat
behavioral2/memory/4952-13-0x00000000001E0000-0x0000000000312000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Surrogatebrowsercommon.exead6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Surrogatebrowsercommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

Surrogatebrowsercommon.execonhost.exe

pid process

4952 Surrogatebrowsercommon.exe
5840 conhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

Processes:

Surrogatebrowsercommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\9e8d7a4ca61bd9	Surrogatebrowsercommon.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\OfficeClickToRun.exe	Surrogatebrowsercommon.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OfficeClickToRun.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\e6c9b481da804f	Surrogatebrowsercommon.exe
File created	C:\Program Files\dotnet\swidtag\Registry.exe	Surrogatebrowsercommon.exe
File created	C:\Program Files\dotnet\swidtag\ee2ad38f3d4382	Surrogatebrowsercommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RuntimeBroker.exe	Surrogatebrowsercommon.exe

Drops file in Windows directory 4 IoCs

Processes:

Surrogatebrowsercommon.exe

description	ioc	process
File created	C:\Windows\Migration\WTR\upfc.exe	Surrogatebrowsercommon.exe
File created	C:\Windows\Migration\WTR\ea1d8f6d871115	Surrogatebrowsercommon.exe
File created	C:\Windows\SchCache\Surrogatebrowsercommon.exe	Surrogatebrowsercommon.exe
File created	C:\Windows\SchCache\83019df36d0fbe	Surrogatebrowsercommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5748	schtasks.exe
516	schtasks.exe
5296	schtasks.exe
1632	schtasks.exe
3976	schtasks.exe
3844	schtasks.exe
6044	schtasks.exe
5768	schtasks.exe
3408	schtasks.exe
5040	schtasks.exe
4332	schtasks.exe
1664	schtasks.exe
4524	schtasks.exe
5720	schtasks.exe
452	schtasks.exe
3388	schtasks.exe
5156	schtasks.exe
748	schtasks.exe
1400	schtasks.exe
3380	schtasks.exe
3880	schtasks.exe
1436	schtasks.exe
4908	schtasks.exe
5788	schtasks.exe
5332	schtasks.exe
2308	schtasks.exe
1216	schtasks.exe
3396	schtasks.exe
5660	schtasks.exe
2804	schtasks.exe
5772	schtasks.exe
5676	schtasks.exe
5084	schtasks.exe
3132	schtasks.exe
3752	schtasks.exe
1492	schtasks.exe
5560	schtasks.exe
5744	schtasks.exe
2828	schtasks.exe

Modifies registry class 2 IoCs

Processes:

ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exeSurrogatebrowsercommon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	Surrogatebrowsercommon.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Surrogatebrowsercommon.execonhost.exe

pid	process
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
4952	Surrogatebrowsercommon.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe
5840	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

5840 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Surrogatebrowsercommon.execonhost.exe

description pid process

Token: SeDebugPrivilege 4952 Surrogatebrowsercommon.exe
Token: SeDebugPrivilege 5840 conhost.exe

pid	process
5840	conhost.exe

description	pid	process
Token: SeDebugPrivilege	4952	Surrogatebrowsercommon.exe
Token: SeDebugPrivilege	5840	conhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exeWScript.execmd.exeSurrogatebrowsercommon.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 2448	2072	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 2072 wrote to memory of 2448	2072	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 2072 wrote to memory of 2448	2072	ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe	WScript.exe
PID 2448 wrote to memory of 456	2448	WScript.exe	cmd.exe
PID 2448 wrote to memory of 456	2448	WScript.exe	cmd.exe
PID 2448 wrote to memory of 456	2448	WScript.exe	cmd.exe
PID 456 wrote to memory of 4952	456	cmd.exe	Surrogatebrowsercommon.exe
PID 456 wrote to memory of 4952	456	cmd.exe	Surrogatebrowsercommon.exe
PID 4952 wrote to memory of 972	4952	Surrogatebrowsercommon.exe	cmd.exe
PID 4952 wrote to memory of 972	4952	Surrogatebrowsercommon.exe	cmd.exe
PID 972 wrote to memory of 3208	972	cmd.exe	w32tm.exe
PID 972 wrote to memory of 3208	972	cmd.exe	w32tm.exe
PID 972 wrote to memory of 5840	972	cmd.exe	conhost.exe
PID 972 wrote to memory of 5840	972	cmd.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ad6ef12cf7a949c7c81031cf356e7ba0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsproviderbrowserWinsaves\VryQRplJMzsaH3y.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MsproviderbrowserWinsaves\RiZf3vztvgEONjpLmWUxXjcW5RE.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe
"C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CNLJStqM9K.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3208

C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\MsproviderbrowserWinsaves\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\MsproviderbrowserWinsaves\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\MsproviderbrowserWinsaves\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogatebrowsercommonS" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\Surrogatebrowsercommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Surrogatebrowsercommon" /sc ONLOGON /tr "'C:\Windows\SchCache\Surrogatebrowsercommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogatebrowsercommonS" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\Surrogatebrowsercommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MsproviderbrowserWinsaves\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsproviderbrowserWinsaves\RiZf3vztvgEONjpLmWUxXjcW5RE.bat
Filesize
57B

MD5
05b28af400b64005b9c11137d62947f9

SHA1
e6fa4a6992de2fbd18881ccb51d2c8d4e5194e24

SHA256
d012c9842afe9c529e3de253b7e9e6794fea7ebac1c43058885892d907d4cd43

SHA512
74f82ba15f23881f05a752ece48f6e7b5f7723ad0a270c9b14e1adefb650605d10f9039979cf47190b731d0bb24c7a4b815964b066263cee695c3b62b336452b

Download Submit
C:\MsproviderbrowserWinsaves\Surrogatebrowsercommon.exe
Filesize
1.2MB

MD5
a75639b5e75feaf62b23e393afa8304b

SHA1
c62b0f325d84333f9a00ced7b22edb201953163b

SHA256
31c7ae9bf5e9886f8a24ae125fa48b08894eac62fc1e833f4e7f1fd5cc7bfb22

SHA512
2eaa91bff70326fcb7fc28e9132aa710fb067a6a24c5665971c990bb7ec8d59b0bf78d59330e94c1f4f3713e6bef936515e4141f435988cf4c54c550f70de208

Download Submit
C:\MsproviderbrowserWinsaves\VryQRplJMzsaH3y.vbe
Filesize
229B

MD5
2dc9d82d3023616c78492a10ea81aaa5

SHA1
58b34007cd5850dc1c4829fea011fb2b3648d3f7

SHA256
55cc74634296b7692eb7ae2df4f0e760a61d803ade7bddd66fa5c035821d0cd9

SHA512
e08160d0c653184f250c95ad5ba6d04040b545a3e92131bf73dc52c5eb4a20d92624f1a6ce2c38a91088502ced75fef67fdc5c62800b2ff5b5b5e6002601ce14

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNLJStqM9K.bat
Filesize
198B

MD5
46a39f85c753e64b815dae40b5c292ae

SHA1
7b8636b2c9dfcfb38f2d6f95bac50c393c07bc8f

SHA256
aa2191e1043cda3b6e1c021d201f1b79f0e9a96e0d323caf786e542ac33918da

SHA512
10bc07e3b0cc5c76d03dfc39f8ac5f7a38139bb79b44b41664fbe9ab2be58ce9f472dda74e0c2f458f8e7393eddb5a2cf5877c95ca4bd5c96bd3dc26ad5ae37c

Download Submit
memory/4952-12-0x00007FFF325C3000-0x00007FFF325C5000-memory.dmp

Filesize
8KB

Download
memory/4952-13-0x00000000001E0000-0x0000000000312000-memory.dmp

Filesize
1.2MB

Download
memory/4952-14-0x0000000002520000-0x000000000253C000-memory.dmp

Filesize
112KB

Download
memory/4952-15-0x000000001B500000-0x000000001B550000-memory.dmp

Filesize
320KB

Download
memory/4952-16-0x000000001AE60000-0x000000001AE76000-memory.dmp

Filesize
88KB

Download
memory/4952-17-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads