44caliber | fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8

General

Target

Nursultan.exe
Size

1.4MB
MD5

1b6293c7f0dfed044b0eba8b98b0faff
SHA1

e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a
SHA256

fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8
SHA512

694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5
SSDEEP

24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9

Score

10^/10

44caliber dcrat infostealer rat stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2760	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3016-1-0x00000000004C0000-0x000000000062C000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\svchost.exe	dcrat
C:\Hypercommon\ServercrtDll.exe	dcrat
behavioral2/memory/4956-39-0x0000000000C90000-0x0000000000D66000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeWScript.exeServercrtDll.exeNursultan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ServercrtDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Nursultan.exe

Executes dropped EXE 4 IoCs

Processes:

svchost.exeexplorer.exeServercrtDll.exeservices.exe

pid process

544 svchost.exe
4160 explorer.exe
4956 ServercrtDll.exe
1544 services.exe

pid	process
544	svchost.exe
4160	explorer.exe
4956	ServercrtDll.exe
1544	services.exe

Drops file in Program Files directory 15 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\conhost.exe	ServercrtDll.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	ServercrtDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\38384e6a620884	ServercrtDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\e1ef82546f0b02	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\55b276f4edf653	ServercrtDll.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	ServercrtDll.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	ServercrtDll.exe
File created	C:\Program Files\Windows Sidebar\088424020bedd6	ServercrtDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\StartMenuExperienceHost.exe	ServercrtDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\38384e6a620884	ServercrtDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\SppExtComObj.exe	ServercrtDll.exe

Drops file in Windows directory 6 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\22eafd247d37c3	ServercrtDll.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe	ServercrtDll.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\c5b4cb5e9653cc	ServercrtDll.exe
File created	C:\Windows\debug\RuntimeBroker.exe	ServercrtDll.exe
File created	C:\Windows\debug\9e8d7a4ca61bd9	ServercrtDll.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\TextInputHost.exe	ServercrtDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

svchost.exeServercrtDll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	ServercrtDll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5040	schtasks.exe
380	schtasks.exe
5100	schtasks.exe
1360	schtasks.exe
4884	schtasks.exe
4604	schtasks.exe
5016	schtasks.exe
2844	schtasks.exe
1460	schtasks.exe
4440	schtasks.exe
2032	schtasks.exe
2444	schtasks.exe
548	schtasks.exe
4916	schtasks.exe
3344	schtasks.exe
3660	schtasks.exe
3084	schtasks.exe
4524	schtasks.exe
1680	schtasks.exe
348	schtasks.exe
4016	schtasks.exe
4248	schtasks.exe
336	schtasks.exe
2960	schtasks.exe
3772	schtasks.exe
4032	schtasks.exe
4188	schtasks.exe
4892	schtasks.exe
1708	schtasks.exe
5000	schtasks.exe
1912	schtasks.exe
2196	schtasks.exe
4732	schtasks.exe
532	schtasks.exe
3648	schtasks.exe
4592	schtasks.exe
724	schtasks.exe
4040	schtasks.exe
1496	schtasks.exe
1480	schtasks.exe
1984	schtasks.exe
2096	schtasks.exe
2076	schtasks.exe
5048	schtasks.exe
1048	schtasks.exe
4652	schtasks.exe
4824	schtasks.exe
3172	schtasks.exe
1816	schtasks.exe
116	schtasks.exe
1456	schtasks.exe
4984	schtasks.exe
2288	schtasks.exe
2932	schtasks.exe
5072	schtasks.exe
4400	schtasks.exe
4924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

explorer.exeServercrtDll.exeservices.exe

pid	process
4160	explorer.exe
4160	explorer.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
4956	ServercrtDll.exe
1544	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

explorer.exeServercrtDll.exeservices.exe

description pid process

Token: SeDebugPrivilege 4160 explorer.exe
Token: SeDebugPrivilege 4956 ServercrtDll.exe
Token: SeDebugPrivilege 1544 services.exe

description	pid	process
Token: SeDebugPrivilege	4160	explorer.exe
Token: SeDebugPrivilege	4956	ServercrtDll.exe
Token: SeDebugPrivilege	1544	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Nursultan.exesvchost.exeWScript.execmd.exeServercrtDll.execmd.exe

description	pid	process	target process
PID 3016 wrote to memory of 544	3016	Nursultan.exe	svchost.exe
PID 3016 wrote to memory of 544	3016	Nursultan.exe	svchost.exe
PID 3016 wrote to memory of 544	3016	Nursultan.exe	svchost.exe
PID 3016 wrote to memory of 4160	3016	Nursultan.exe	explorer.exe
PID 3016 wrote to memory of 4160	3016	Nursultan.exe	explorer.exe
PID 544 wrote to memory of 2996	544	svchost.exe	WScript.exe
PID 544 wrote to memory of 2996	544	svchost.exe	WScript.exe
PID 544 wrote to memory of 2996	544	svchost.exe	WScript.exe
PID 2996 wrote to memory of 4180	2996	WScript.exe	cmd.exe
PID 2996 wrote to memory of 4180	2996	WScript.exe	cmd.exe
PID 2996 wrote to memory of 4180	2996	WScript.exe	cmd.exe
PID 4180 wrote to memory of 4956	4180	cmd.exe	ServercrtDll.exe
PID 4180 wrote to memory of 4956	4180	cmd.exe	ServercrtDll.exe
PID 4956 wrote to memory of 388	4956	ServercrtDll.exe	cmd.exe
PID 4956 wrote to memory of 388	4956	ServercrtDll.exe	cmd.exe
PID 388 wrote to memory of 804	388	cmd.exe	w32tm.exe
PID 388 wrote to memory of 804	388	cmd.exe	w32tm.exe
PID 388 wrote to memory of 1544	388	cmd.exe	services.exe
PID 388 wrote to memory of 1544	388	cmd.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Hypercommon\ServercrtDll.exe
"C:\Hypercommon\ServercrtDll.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KJoXvXv5hC.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:804

C:\Recovery\WindowsRE\services.exe
"C:\Recovery\WindowsRE\services.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Hypercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Hypercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Hypercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Hypercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Hypercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Hypercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Hypercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Hypercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Hypercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hypercommon\ServercrtDll.exe
Filesize
828KB

MD5
801d5740c780d09b1cc6d971ce8b280f

SHA1
c7188e6f5998405d9dcbe83ce5d29267861be07d

SHA256
b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f

SHA512
3296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49

Download Submit
C:\Hypercommon\Udwe1ynNPaETo.bat
Filesize
33B

MD5
1af82b77403306ff43f68bf7a0786c52

SHA1
730a3bd4b524ffa024657c1fc27ffd82e25f3f81

SHA256
e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96

SHA512
0e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1

Download Submit
C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe
Filesize
201B

MD5
0f314eb5d52ce9cd85095eadff4f908c

SHA1
272d25d43f789dd5fad479ab31e96214f82302b3

SHA256
f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89

SHA512
471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJoXvXv5hC.bat
Filesize
199B

MD5
04e114e5a7164d3eaa964ac53ffab2be

SHA1
5b416606f404810257e2bcee4a603cb418a9fe18

SHA256
2b289a651fb19f82a55a746b8f64de78fb5923bc8db241e1c42e195091451980

SHA512
6be1062b4baba23e3b4059dd76c1b4b7f8a319bf1ef6eebd48f2b9d5f4bf0173524d124c461e4c69e2125ac5e3a5c40dfac3ced4a9e420dcd9567b0328305d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
303KB

MD5
7d9282b8529bbb4ac06a3994fbcd0622

SHA1
d38d467c5e533f3bc247b6ed245fb08412a479d7

SHA256
ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9

SHA512
aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
3ee661f4a9794c72a91fa1f783f54969

SHA1
35780f52351da65b60cc63b302018950cbfe849f

SHA256
ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51

SHA512
0b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde

Download Submit
memory/3016-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x00000000004C0000-0x000000000062C000-memory.dmp

Filesize
1.4MB

Download
memory/3016-2-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/4160-22-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

Filesize
8KB

Download
memory/4160-32-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-23-0x0000019CC81F0000-0x0000019CC8242000-memory.dmp

Filesize
328KB

Download
memory/4160-87-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-39-0x0000000000C90000-0x0000000000D66000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads