dcrat | 689100d4db441ae245b7b6edc85cb739c15ab3a972653483c122ba174032b2db

Resubmissions

15/06/2024, 10:59

240615-m3p8es1hnj 10

Analysis

max time kernel
44s
max time network
51s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeverCry.exe
Size

1.6MB
MD5

7d90121240d8da918d6370c81f6649f7
SHA1

d3e344ce25305e9168790f462698d9cbc90b23d3
SHA256

689100d4db441ae245b7b6edc85cb739c15ab3a972653483c122ba174032b2db
SHA512

d9675eba8aacf2d876400d9d4e22ae4f2af666ee1b72aa21a36b5f7e1518111ccf434e6a5cc08ae3f52fce4855b7baf90037614e358b2df392a2e20f3db9a319
SSDEEP

24576:P2G/nvxW3WY0eWu+KIrnB46Yz5R6jIdQX4FcixLckFcBtcuuGzdxX7p1W0ppwl+b:PbA3cnjB4xZi0NGtcuzdV7pLrA+GkeMB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2460	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2460	schtasks.exe	33

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014e5a-9.dat	dcrat
behavioral1/memory/2840-13-0x0000000000CF0000-0x0000000000E48000-memory.dmp	dcrat
behavioral1/memory/2308-44-0x0000000000B30000-0x0000000000C88000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2840	ProviderDrivercommon.exe
2308	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	cmd.exe
2644	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderDrivercommon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\es-ES\sppsvc.exe	ProviderDrivercommon.exe
File created	C:\Program Files\DVD Maker\es-ES\0a1fd5f707cd16	ProviderDrivercommon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\csrss.exe	ProviderDrivercommon.exe
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	ProviderDrivercommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1072	schtasks.exe
2380	schtasks.exe
2492	schtasks.exe
1432	schtasks.exe
2748	schtasks.exe
2788	schtasks.exe
1736	schtasks.exe
2536	schtasks.exe
1920	schtasks.exe
2008	schtasks.exe
1452	schtasks.exe
1032	schtasks.exe
2920	schtasks.exe
844	schtasks.exe
1296	schtasks.exe
2328	schtasks.exe
1436	schtasks.exe
1028	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2800	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2840	ProviderDrivercommon.exe
2840	ProviderDrivercommon.exe
2840	ProviderDrivercommon.exe
2840	ProviderDrivercommon.exe
2840	ProviderDrivercommon.exe
2308	wininit.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	ProviderDrivercommon.exe
Token: SeDebugPrivilege	2308	wininit.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe
Token: SeShutdownPrivilege	1300	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe
1300	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	xpsrchvw.exe
1708	xpsrchvw.exe
1708	xpsrchvw.exe
1708	xpsrchvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2156	2936	NeverCry.exe	28
PID 2936 wrote to memory of 2156	2936	NeverCry.exe	28
PID 2936 wrote to memory of 2156	2936	NeverCry.exe	28
PID 2936 wrote to memory of 2156	2936	NeverCry.exe	28
PID 2156 wrote to memory of 2644	2156	WScript.exe	30
PID 2156 wrote to memory of 2644	2156	WScript.exe	30
PID 2156 wrote to memory of 2644	2156	WScript.exe	30
PID 2156 wrote to memory of 2644	2156	WScript.exe	30
PID 2644 wrote to memory of 2840	2644	cmd.exe	32
PID 2644 wrote to memory of 2840	2644	cmd.exe	32
PID 2644 wrote to memory of 2840	2644	cmd.exe	32
PID 2644 wrote to memory of 2840	2644	cmd.exe	32
PID 2840 wrote to memory of 2132	2840	ProviderDrivercommon.exe	52
PID 2840 wrote to memory of 2132	2840	ProviderDrivercommon.exe	52
PID 2840 wrote to memory of 2132	2840	ProviderDrivercommon.exe	52
PID 2132 wrote to memory of 2128	2132	cmd.exe	54
PID 2132 wrote to memory of 2128	2132	cmd.exe	54
PID 2132 wrote to memory of 2128	2132	cmd.exe	54
PID 2644 wrote to memory of 2800	2644	cmd.exe	55
PID 2644 wrote to memory of 2800	2644	cmd.exe	55
PID 2644 wrote to memory of 2800	2644	cmd.exe	55
PID 2644 wrote to memory of 2800	2644	cmd.exe	55
PID 2132 wrote to memory of 2308	2132	cmd.exe	56
PID 2132 wrote to memory of 2308	2132	cmd.exe	56
PID 2132 wrote to memory of 2308	2132	cmd.exe	56
PID 1300 wrote to memory of 1500	1300	chrome.exe	58
PID 1300 wrote to memory of 1500	1300	chrome.exe	58
PID 1300 wrote to memory of 1500	1300	chrome.exe	58
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59
PID 1300 wrote to memory of 292	1300	chrome.exe	59

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ProviderDrivercommon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ProviderDrivercommon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NeverCry.exe
"C:\Users\Admin\AppData\Local\Temp\NeverCry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeCrtSvc\bu6kJS9oJYsl2T.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\bridgeCrtSvc\GTiPrhC1SOxhlaDLKOjzQ7laPK17.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\bridgeCrtSvc\ProviderDrivercommon.exe
      "C:\bridgeCrtSvc\ProviderDrivercommon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3YETYeAKgW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2128
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2800

C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\WriteExport.xps"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xpsrchvwx" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\xpsrchvw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xpsrchvw" /sc ONLOGON /tr "'C:\Users\Admin\Music\xpsrchvw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xpsrchvwx" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\xpsrchvw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6919758,0x7fef6919768,0x7fef6919778
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:2
  2⤵
  PID:292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1428 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 --field-trial-handle=1376,i,8024051047015227939,6010061973717468502,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2704
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fc37688,0x13fc37698,0x13fc376a8
    3⤵
    PID:1976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YETYeAKgW.bat

Filesize
239B

MD5
cb8906e048291ac11993ece3ed24392f

SHA1
52f225c156346a86db0afc13281532ab270e4e1a

SHA256
ecfe3a7734d7faae0a8e70b65256b8e5fabc554a918f7485502497046657bebf

SHA512
045996bce69fd9cdf192606381201f65f0b7a6bd1c62586fe33d20314a33620b2443a8a31d0ebc8c607c23b8e917e29b1a4f9d0df0e350b558f0e53a44291cf7

Download Submit
C:\bridgeCrtSvc\GTiPrhC1SOxhlaDLKOjzQ7laPK17.bat

Filesize
154B

MD5
8f6eddc9e68bb024acc01c2a7c37dad9

SHA1
c9ae400b119f35f83f300cff443d93264b4bb690

SHA256
d95e79a6458989d2ab852e27afd0b2f59150e3fc84d088d8cbb7ab5830ff7e92

SHA512
7b3db4ffb023c50e0357387b71031c68e5dfa50dfbbb21c71722678f00a87cbd8ecaa2713eb888fd480caa2b8cf9d86732ecc24a0c477e5705dd2ea90f236a4b

Download Submit
C:\bridgeCrtSvc\bu6kJS9oJYsl2T.vbe

Filesize
217B

MD5
5319b8577089dc9ecb3447b40ba0cc74

SHA1
7d1ac12cd64ac34823d1241398a280d508a58f3d

SHA256
773dda731c426cb77049507f2510feb8089ceff036855cc3c45a20a6bb4d14e1

SHA512
43abcd455730491a9ea9d4669d00eb881b5a3d4378d60baa2eb4b997ce12e7df9c18bc22835cb34846b5b80d8e892cbdda884188ff97a88a3b3536c8b5cbd205

Download Submit
\bridgeCrtSvc\ProviderDrivercommon.exe

Filesize
1.3MB

MD5
7c4388597e78e4d04ab3e4ec7f807b28

SHA1
b11da9555e2e46c8208f0f29d46fb77c98854304

SHA256
18ce4b699fa9cb509c3332d5303fe146551938c502f1c32158efaa04121d54af

SHA512
73fedc015eb64426664b673e16b01d8a6d29c8b5e71439fb2d88f0876ea52d4a59e6e54145cc6e070ebc6dcfa0b400dfb07d8ade9d40a9351b5cdcf6dcfc9451

Download Submit
memory/2308-45-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2308-44-0x0000000000B30000-0x0000000000C88000-memory.dmp

Filesize
1.3MB

Download
memory/2840-15-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2840-21-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2840-22-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2840-23-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2840-24-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2840-20-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2840-19-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2840-18-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2840-17-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2840-16-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2840-14-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2840-13-0x0000000000CF0000-0x0000000000E48000-memory.dmp

Filesize
1.3MB

Download