dcrat | 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
Size

46.0MB
MD5

2bdf60ce1391ccc1a829a41c8b531dd5
SHA1

8fecb37b06dd016f820cbc55c1446aa34666bf12
SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
SHA512

0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359
SSDEEP

24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Score

10^/10

dcrat umbral infostealer rat stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1253005353222668289/_twANrdJlJok9NDlMWHxe2qUewe11QbdTTPK9sqVpjZ9uRjyV2p28YwCPVaWlpRMyL50

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0038000000015686-12.dat	family_umbral
behavioral1/memory/1952-22-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral
behavioral1/memory/2296-23-0x0000000000390000-0x00000000003D0000-memory.dmp	family_umbral

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2988	schtasks.exe	35

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015cc7-18.dat	dcrat
behavioral1/memory/1952-22-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral1/files/0x0007000000015cf0-34.dat	dcrat
behavioral1/memory/2568-38-0x0000000001210000-0x00000000012E6000-memory.dmp	dcrat
behavioral1/memory/2068-79-0x0000000000A10000-0x0000000000AE6000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

pid	Process
2212	X8Checker 2.6.exe
2296	Umbral.exe
2692	8XChecker.exe
2568	bridgefont.exe
2068	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
2512	cmd.exe
2512	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	bridgefont.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	bridgefont.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	bridgefont.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\f3b6ecef712a24	bridgefont.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe	bridgefont.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\42af1c969fbb7b	bridgefont.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Idle.exe	bridgefont.exe
File created	C:\Windows\SoftwareDistribution\6ccacd8608530f	bridgefont.exe
File created	C:\Windows\ShellNew\csrss.exe	bridgefont.exe
File created	C:\Windows\ShellNew\886983d96e3d3e	bridgefont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
532	schtasks.exe
444	schtasks.exe
1892	schtasks.exe
1724	schtasks.exe
1272	schtasks.exe
1072	schtasks.exe
2480	schtasks.exe
1364	schtasks.exe
1604	schtasks.exe
1056	schtasks.exe
1564	schtasks.exe
2232	schtasks.exe
2244	schtasks.exe
2156	schtasks.exe
1284	schtasks.exe
1460	schtasks.exe
2832	schtasks.exe
2464	schtasks.exe
1904	schtasks.exe
2396	schtasks.exe
1240	schtasks.exe
2324	schtasks.exe
3008	schtasks.exe
2016	schtasks.exe
824	schtasks.exe
1468	schtasks.exe
268	schtasks.exe
776	schtasks.exe
3060	schtasks.exe
2940	schtasks.exe
2992	schtasks.exe
2728	schtasks.exe
2564	schtasks.exe
1736	schtasks.exe
2352	schtasks.exe
2380	schtasks.exe
284	schtasks.exe
1992	schtasks.exe
356	schtasks.exe
2384	schtasks.exe
1828	schtasks.exe
2052	schtasks.exe
2004	schtasks.exe
3032	schtasks.exe
2868	schtasks.exe
2696	schtasks.exe
2760	schtasks.exe
864	schtasks.exe
1616	schtasks.exe
1980	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2568	bridgefont.exe
2068	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	Umbral.exe
Token: SeDebugPrivilege	2568	bridgefont.exe
Token: SeDebugPrivilege	2068	spoolsv.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2212	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 1952 wrote to memory of 2212	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 1952 wrote to memory of 2212	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 1952 wrote to memory of 2212	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 1952 wrote to memory of 2296	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 1952 wrote to memory of 2296	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 1952 wrote to memory of 2296	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 1952 wrote to memory of 2296	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 1952 wrote to memory of 2692	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 1952 wrote to memory of 2692	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 1952 wrote to memory of 2692	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 1952 wrote to memory of 2692	1952	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 2692 wrote to memory of 2504	2692	8XChecker.exe	31
PID 2692 wrote to memory of 2504	2692	8XChecker.exe	31
PID 2692 wrote to memory of 2504	2692	8XChecker.exe	31
PID 2692 wrote to memory of 2504	2692	8XChecker.exe	31
PID 2504 wrote to memory of 2512	2504	WScript.exe	32
PID 2504 wrote to memory of 2512	2504	WScript.exe	32
PID 2504 wrote to memory of 2512	2504	WScript.exe	32
PID 2504 wrote to memory of 2512	2504	WScript.exe	32
PID 2512 wrote to memory of 2568	2512	cmd.exe	34
PID 2512 wrote to memory of 2568	2512	cmd.exe	34
PID 2512 wrote to memory of 2568	2512	cmd.exe	34
PID 2512 wrote to memory of 2568	2512	cmd.exe	34
PID 2568 wrote to memory of 2068	2568	bridgefont.exe	87
PID 2568 wrote to memory of 2068	2568	bridgefont.exe	87
PID 2568 wrote to memory of 2068	2568	bridgefont.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Reviewwinbrokernet\bridgefont.exe
        
        "C:\Reviewwinbrokernet\bridgefont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Reviewwinbrokernet\spoolsv.exe
        
        "C:\Reviewwinbrokernet\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 6 /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Umbral" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

Filesize
224B

MD5
d0546d4e82d204a215d2202b8122bebf

SHA1
b4b1c33b5104d1d003670c341908a01cc0a4a09b

SHA256
6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756

SHA512
91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

Download Submit
C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

Filesize
38B

MD5
5ca65390126e266243ff3881f9cfb3f2

SHA1
228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6

SHA256
ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54

SHA512
4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

Download Submit
\Reviewwinbrokernet\bridgefont.exe

Filesize
828KB

MD5
b5c2e9124dfa9d37f7b2032b94127a37

SHA1
3f162c1dff58ff017d4a95540a220b7355765eb6

SHA256
15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876

SHA512
edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

Download Submit
\Users\Admin\AppData\Local\Temp\8XChecker.exe

Filesize
1.1MB

MD5
562a032b64898a5f86890120f1a6872b

SHA1
2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a

SHA256
bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3

SHA512
871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

Download Submit
\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
ec2aed743841885a579338921df5073b

SHA1
8167b69da03e79cc4d013f2b1e2c972a9fa15296

SHA256
f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b

SHA512
aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

Download Submit
\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
memory/1952-22-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/2068-79-0x0000000000A10000-0x0000000000AE6000-memory.dmp

Filesize
856KB

Download
memory/2212-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2296-23-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2568-38-0x0000000001210000-0x00000000012E6000-memory.dmp

Filesize
856KB

Download