dcrat | 0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Size

4.0MB
MD5

aac697ab0d583fcc8641ce4365b1fea2
SHA1

57ada9976d56f577b18f005dcc369258d70259fc
SHA256

0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175
SHA512

cbe76916ecdf7d3afabde6459e4d3355db529a22f2fd834ade8e50b61eb62a8ef9f3ff46a7091108bc2f54b40d035f3a26605d1ed65b0e945b2fe7fe07c86071
SSDEEP

49152:XYIdUmmujCJIMTmrXMdgjexOXKIDNKKCEBiYvWmiAafeQT/v4QlSVfwRA/ld2MnV:IIav/IMTmzMdgN/xvW1A/QTY1KAwMZP

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2744	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2744	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2732-1-0x0000000001040000-0x0000000001442000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d31-40.dat	dcrat
behavioral1/memory/584-58-0x0000000000380000-0x0000000000782000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 5 IoCs

resource	yara_rule
behavioral1/memory/2732-13-0x0000000000EA0000-0x0000000000EAA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2732-20-0x000000001AED0000-0x000000001AEDC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2732-23-0x000000001AF40000-0x000000001AF4C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2732-25-0x000000001AF60000-0x000000001AF6C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2732-30-0x000000001AFF0000-0x000000001AFFA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
584	lsm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\c5b4cb5e9653cc	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\c5b4cb5e9653cc	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\services.exe	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\56085415360792	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Windows\Panther\setup.exe\dllhost.exe	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Windows\Panther\setup.exe\5940a34987c991	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2136	schtasks.exe
2008	schtasks.exe
2044	schtasks.exe
2936	schtasks.exe
624	schtasks.exe
1052	schtasks.exe
1020	schtasks.exe
2336	schtasks.exe
680	schtasks.exe
1680	schtasks.exe
2236	schtasks.exe
1256	schtasks.exe
2232	schtasks.exe
1932	schtasks.exe
1500	schtasks.exe
284	schtasks.exe
576	schtasks.exe
2748	schtasks.exe
2604	schtasks.exe
2468	schtasks.exe
2140	schtasks.exe
2220	schtasks.exe
2004	schtasks.exe
1964	schtasks.exe
2272	schtasks.exe
2968	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe
584	lsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Token: SeDebugPrivilege	584	lsm.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1720	2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe	56
PID 2732 wrote to memory of 1720	2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe	56
PID 2732 wrote to memory of 1720	2732	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe	56
PID 1720 wrote to memory of 2788	1720	cmd.exe	58
PID 1720 wrote to memory of 2788	1720	cmd.exe	58
PID 1720 wrote to memory of 2788	1720	cmd.exe	58
PID 1720 wrote to memory of 584	1720	cmd.exe	59
PID 1720 wrote to memory of 584	1720	cmd.exe	59
PID 1720 wrote to memory of 584	1720	cmd.exe	59

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe
"C:\Users\Admin\AppData\Local\Temp\0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hTBm4Zzp74.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2788
- - C:\Users\Public\lsm.exe
    "C:\Users\Public\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d644601750" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175" /sc ONLOGON /tr "'C:\Users\Admin\Searches\0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d644601750" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hTBm4Zzp74.bat

Filesize
188B

MD5
7bfacbd73b2493df4594ba4a661e0256

SHA1
4fd813381c8bf956457f23b8c63ab8b897129b46

SHA256
ee0da9e31d85ed4749f9be2ceb9f26a00b5c8f648f7e2022d4d83e9e03ae2eeb

SHA512
c0a009bbd85e64783fed7940b91ef33b68192ce94e7555a1704103a01e591db48909a55df1201251a9012290760e2151ffca852bc2b0dd2f9669ba8f4b376eaf

Download Submit
C:\Users\Default\Downloads\wininit.exe

Filesize
4.0MB

MD5
aac697ab0d583fcc8641ce4365b1fea2

SHA1
57ada9976d56f577b18f005dcc369258d70259fc

SHA256
0cc4a5350887ecd6d55eed9b617d34c43f6579218545d522318f3e6d64460175

SHA512
cbe76916ecdf7d3afabde6459e4d3355db529a22f2fd834ade8e50b61eb62a8ef9f3ff46a7091108bc2f54b40d035f3a26605d1ed65b0e945b2fe7fe07c86071

Download Submit
memory/584-59-0x000000001B050000-0x000000001B0A6000-memory.dmp

Filesize
344KB

Download
memory/584-58-0x0000000000380000-0x0000000000782000-memory.dmp

Filesize
4.0MB

Download
memory/2732-18-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

Filesize
72KB

Download
memory/2732-21-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

Filesize
32KB

Download
memory/2732-6-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2732-8-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2732-7-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2732-9-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2732-10-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2732-11-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2732-12-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/2732-13-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/2732-14-0x0000000000FF0000-0x0000000001046000-memory.dmp

Filesize
344KB

Download
memory/2732-15-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/2732-16-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/2732-17-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/2732-0-0x000007FEF59F3000-0x000007FEF59F4000-memory.dmp

Filesize
4KB

Download
memory/2732-19-0x000000001AEC0000-0x000000001AEC8000-memory.dmp

Filesize
32KB

Download
memory/2732-20-0x000000001AED0000-0x000000001AEDC000-memory.dmp

Filesize
48KB

Download
memory/2732-5-0x0000000000C80000-0x0000000000C9C000-memory.dmp

Filesize
112KB

Download
memory/2732-22-0x000000001AEF0000-0x000000001AF46000-memory.dmp

Filesize
344KB

Download
memory/2732-23-0x000000001AF40000-0x000000001AF4C000-memory.dmp

Filesize
48KB

Download
memory/2732-24-0x000000001AF50000-0x000000001AF58000-memory.dmp

Filesize
32KB

Download
memory/2732-25-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/2732-26-0x000000001AF70000-0x000000001AF7E000-memory.dmp

Filesize
56KB

Download
memory/2732-27-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/2732-28-0x000000001AF90000-0x000000001AF98000-memory.dmp

Filesize
32KB

Download
memory/2732-29-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

Filesize
32KB

Download
memory/2732-30-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

Filesize
40KB

Download
memory/2732-31-0x000000001B000000-0x000000001B00C000-memory.dmp

Filesize
48KB

Download
memory/2732-4-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2732-54-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-3-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2732-2-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-1-0x0000000001040000-0x0000000001442000-memory.dmp

Filesize
4.0MB

Download