dcrat | 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Analysis

max time kernel
135s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdf60ce1391ccc1a829a41c8b531dd5.exe
Size

46.0MB
MD5

2bdf60ce1391ccc1a829a41c8b531dd5
SHA1

8fecb37b06dd016f820cbc55c1446aa34666bf12
SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
SHA512

0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359
SSDEEP

24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Score

10^/10

dcrat umbral infostealer rat stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral2/memory/1820-1-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral
behavioral2/files/0x0008000000023268-13.dat	family_umbral
behavioral2/memory/3712-27-0x000002B462D20000-0x000002B462D60000-memory.dmp	family_umbral
behavioral2/memory/1820-30-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3148	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3148	schtasks.exe	93

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1820-1-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral2/files/0x0008000000023269-25.dat	dcrat
behavioral2/memory/1820-30-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral2/files/0x0008000000023273-45.dat	dcrat
behavioral2/memory/4596-47-0x0000000000720000-0x00000000007F6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8XChecker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bridgefont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2bdf60ce1391ccc1a829a41c8b531dd5.exe

Executes dropped EXE 5 IoCs

pid	Process
884	X8Checker 2.6.exe
3712	Umbral.exe
452	8XChecker.exe
4596	bridgefont.exe
1500	services.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e	bridgefont.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\Umbral.exe	bridgefont.exe
File created	C:\Program Files\Windows Media Player\Visualizations\dllhost.exe	bridgefont.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\dllhost.exe	bridgefont.exe
File created	C:\Program Files\Windows Media Player\Visualizations\5940a34987c991	bridgefont.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	bridgefont.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe	bridgefont.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\66fc9ff0ee96c2	bridgefont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	8XChecker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1160	schtasks.exe
1124	schtasks.exe
4032	schtasks.exe
1616	schtasks.exe
972	schtasks.exe
4200	schtasks.exe
948	schtasks.exe
916	schtasks.exe
1812	schtasks.exe
2852	schtasks.exe
2892	schtasks.exe
2876	schtasks.exe
3612	schtasks.exe
3992	schtasks.exe
3320	schtasks.exe
3808	schtasks.exe
4384	schtasks.exe
1972	schtasks.exe
2828	schtasks.exe
2372	schtasks.exe
4452	schtasks.exe
3892	schtasks.exe
4484	schtasks.exe
3888	schtasks.exe
2404	schtasks.exe
4052	schtasks.exe
4660	schtasks.exe
4904	schtasks.exe
5020	schtasks.exe
4076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
4596	bridgefont.exe
1500	services.exe
1500	services.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	Umbral.exe
Token: SeDebugPrivilege	4596	bridgefont.exe
Token: SeDebugPrivilege	1500	services.exe
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 884	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	89
PID 1820 wrote to memory of 884	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	89
PID 1820 wrote to memory of 884	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	89
PID 1820 wrote to memory of 3712	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	90
PID 1820 wrote to memory of 3712	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	90
PID 1820 wrote to memory of 452	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	91
PID 1820 wrote to memory of 452	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	91
PID 1820 wrote to memory of 452	1820	2bdf60ce1391ccc1a829a41c8b531dd5.exe	91
PID 452 wrote to memory of 2716	452	8XChecker.exe	96
PID 452 wrote to memory of 2716	452	8XChecker.exe	96
PID 452 wrote to memory of 2716	452	8XChecker.exe	96
PID 2716 wrote to memory of 3364	2716	WScript.exe	100
PID 2716 wrote to memory of 3364	2716	WScript.exe	100
PID 2716 wrote to memory of 3364	2716	WScript.exe	100
PID 3364 wrote to memory of 4596	3364	cmd.exe	103
PID 3364 wrote to memory of 4596	3364	cmd.exe	103
PID 4596 wrote to memory of 1500	4596	bridgefont.exe	136
PID 4596 wrote to memory of 1500	4596	bridgefont.exe	136
PID 3712 wrote to memory of 4452	3712	Umbral.exe	137
PID 3712 wrote to memory of 4452	3712	Umbral.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe
"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Reviewwinbrokernet\bridgefont.exe
        
        "C:\Reviewwinbrokernet\bridgefont.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Reviewwinbrokernet\services.exe
        
        "C:\Reviewwinbrokernet\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Reviewwinbrokernet\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Reviewwinbrokernet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

Filesize
224B

MD5
d0546d4e82d204a215d2202b8122bebf

SHA1
b4b1c33b5104d1d003670c341908a01cc0a4a09b

SHA256
6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756

SHA512
91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

Download Submit
C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

Filesize
38B

MD5
5ca65390126e266243ff3881f9cfb3f2

SHA1
228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6

SHA256
ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54

SHA512
4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

Download Submit
C:\Reviewwinbrokernet\bridgefont.exe

Filesize
828KB

MD5
b5c2e9124dfa9d37f7b2032b94127a37

SHA1
3f162c1dff58ff017d4a95540a220b7355765eb6

SHA256
15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876

SHA512
edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

Filesize
1.1MB

MD5
562a032b64898a5f86890120f1a6872b

SHA1
2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a

SHA256
bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3

SHA512
871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
ec2aed743841885a579338921df5073b

SHA1
8167b69da03e79cc4d013f2b1e2c972a9fa15296

SHA256
f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b

SHA512
aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
memory/884-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1820-1-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/1820-30-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3712-26-0x00007FFD77153000-0x00007FFD77155000-memory.dmp

Filesize
8KB

Download
memory/3712-40-0x00007FFD77153000-0x00007FFD77155000-memory.dmp

Filesize
8KB

Download
memory/3712-42-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp

Filesize
10.8MB

Download
memory/3712-32-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp

Filesize
10.8MB

Download
memory/3712-27-0x000002B462D20000-0x000002B462D60000-memory.dmp

Filesize
256KB

Download
memory/3712-81-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp

Filesize
10.8MB

Download
memory/4596-47-0x0000000000720000-0x00000000007F6000-memory.dmp

Filesize
856KB

Download