Analysis
-
max time kernel
61s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 11:23
Behavioral task
behavioral1
Sample
Riga Client.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Riga Client.exe
Resource
win10v2004-20240709-en
General
-
Target
Riga Client.exe
-
Size
2.0MB
-
MD5
40ac7d11ebb91612d8d5c16c05af0a13
-
SHA1
543a6c16f8f058fb6ba029ee3a9c5fde92aaa212
-
SHA256
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
-
SHA512
223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c
-
SSDEEP
49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl
Malware Config
Signatures
-
DcRat 39 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2292 schtasks.exe 2904 schtasks.exe 2896 schtasks.exe 2320 schtasks.exe 2032 schtasks.exe 2548 schtasks.exe 2540 schtasks.exe 2892 schtasks.exe 1492 schtasks.exe 2792 schtasks.exe 1644 schtasks.exe 1072 schtasks.exe 2376 schtasks.exe 2340 schtasks.exe 2092 schtasks.exe 1444 schtasks.exe 1044 schtasks.exe 2496 schtasks.exe 2384 schtasks.exe 2596 schtasks.exe 2044 schtasks.exe 2528 schtasks.exe 2452 schtasks.exe 2964 schtasks.exe 2684 schtasks.exe 2924 schtasks.exe 456 schtasks.exe 1792 schtasks.exe 1424 schtasks.exe 1464 schtasks.exe 2724 schtasks.exe 2116 schtasks.exe 2956 schtasks.exe 2816 schtasks.exe 988 schtasks.exe 2056 schtasks.exe 2740 schtasks.exe 1200 schtasks.exe 2544 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 27 IoCs
Processes:
ComInto.exespoolsv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" spoolsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" spoolsv.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2652 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2652 schtasks.exe -
Processes:
resource yara_rule \componentCommon\ComInto.exe dcrat behavioral1/memory/2804-13-0x0000000000360000-0x000000000050C000-memory.dmp dcrat behavioral1/memory/320-60-0x0000000000AE0000-0x0000000000C8C000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
ComInto.exespoolsv.exepid process 2804 ComInto.exe 320 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1980 cmd.exe 1980 cmd.exe -
Adds Run key to start application 2 TTPs 26 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\componentCommon\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\componentCommon\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Links\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\componentCommon\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\componentCommon\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\componentCommon\\explorer.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\componentCommon\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Links\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\"" ComInto.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Program Files\Uninstall Information\lsm.exe ComInto.exe File created C:\Program Files\Uninstall Information\101b941d020240 ComInto.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe ComInto.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\7a0fd90576e088 ComInto.exe -
Drops file in Windows directory 4 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Windows\Fonts\dwm.exe ComInto.exe File created C:\Windows\Fonts\6cb0b6c459d5d3 ComInto.exe File created C:\Windows\AppPatch\AppPatch64\dllhost.exe ComInto.exe File created C:\Windows\AppPatch\AppPatch64\5940a34987c991 ComInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2544 schtasks.exe 2964 schtasks.exe 2044 schtasks.exe 1044 schtasks.exe 2384 schtasks.exe 2956 schtasks.exe 2684 schtasks.exe 1444 schtasks.exe 2724 schtasks.exe 1644 schtasks.exe 2904 schtasks.exe 2452 schtasks.exe 2816 schtasks.exe 2340 schtasks.exe 1424 schtasks.exe 1492 schtasks.exe 2548 schtasks.exe 2540 schtasks.exe 2320 schtasks.exe 2528 schtasks.exe 2496 schtasks.exe 2116 schtasks.exe 2896 schtasks.exe 2056 schtasks.exe 2740 schtasks.exe 1200 schtasks.exe 2292 schtasks.exe 2892 schtasks.exe 2092 schtasks.exe 1464 schtasks.exe 2792 schtasks.exe 2924 schtasks.exe 456 schtasks.exe 1072 schtasks.exe 2596 schtasks.exe 2376 schtasks.exe 988 schtasks.exe 1792 schtasks.exe 2032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ComInto.exespoolsv.exepid process 2804 ComInto.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe 320 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ComInto.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2804 ComInto.exe Token: SeDebugPrivilege 320 spoolsv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Riga Client.exeWScript.execmd.exeComInto.exespoolsv.execmd.exedescription pid process target process PID 1896 wrote to memory of 3060 1896 Riga Client.exe WScript.exe PID 1896 wrote to memory of 3060 1896 Riga Client.exe WScript.exe PID 1896 wrote to memory of 3060 1896 Riga Client.exe WScript.exe PID 1896 wrote to memory of 3060 1896 Riga Client.exe WScript.exe PID 3060 wrote to memory of 1980 3060 WScript.exe cmd.exe PID 3060 wrote to memory of 1980 3060 WScript.exe cmd.exe PID 3060 wrote to memory of 1980 3060 WScript.exe cmd.exe PID 3060 wrote to memory of 1980 3060 WScript.exe cmd.exe PID 1980 wrote to memory of 2804 1980 cmd.exe ComInto.exe PID 1980 wrote to memory of 2804 1980 cmd.exe ComInto.exe PID 1980 wrote to memory of 2804 1980 cmd.exe ComInto.exe PID 1980 wrote to memory of 2804 1980 cmd.exe ComInto.exe PID 2804 wrote to memory of 320 2804 ComInto.exe spoolsv.exe PID 2804 wrote to memory of 320 2804 ComInto.exe spoolsv.exe PID 2804 wrote to memory of 320 2804 ComInto.exe spoolsv.exe PID 320 wrote to memory of 1572 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 1572 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 1572 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 3048 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 3048 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 3048 320 spoolsv.exe WScript.exe PID 320 wrote to memory of 1644 320 spoolsv.exe cmd.exe PID 320 wrote to memory of 1644 320 spoolsv.exe cmd.exe PID 320 wrote to memory of 1644 320 spoolsv.exe cmd.exe PID 1644 wrote to memory of 2904 1644 cmd.exe w32tm.exe PID 1644 wrote to memory of 2904 1644 cmd.exe w32tm.exe PID 1644 wrote to memory of 2904 1644 cmd.exe w32tm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\componentCommon\ComInto.exe"C:\componentCommon\ComInto.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Default User\spoolsv.exe"C:\Users\Default User\spoolsv.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eeba68d-8cbf-45ae-8309-1c19845f098d.vbs"6⤵PID:1572
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440f4fe4-9dcd-433f-a114-d591f0d5e174.vbs"6⤵PID:3048
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\componentCommon\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\componentCommon\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "ComInto" /f1⤵
- Process spawned unexpected child process
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "ComIntoC" /f1⤵
- Process spawned unexpected child process
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhost" /f1⤵
- Process spawned unexpected child process
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhostc" /f1⤵
- Process spawned unexpected child process
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwm" /f1⤵
- Process spawned unexpected child process
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwmd" /f1⤵
- Process spawned unexpected child process
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwm" /f1⤵
- Process spawned unexpected child process
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwmd" /f1⤵
- Process spawned unexpected child process
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsass" /f1⤵
- Process spawned unexpected child process
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsassl" /f1⤵
- Process spawned unexpected child process
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "explorer" /f1⤵
- Process spawned unexpected child process
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "explorere" /f1⤵
- Process spawned unexpected child process
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "services" /f1⤵
- Process spawned unexpected child process
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "servicess" /f1⤵
- Process spawned unexpected child process
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "explorer" /f1⤵
- Process spawned unexpected child process
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "explorere" /f1⤵
- Process spawned unexpected child process
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhost" /f1⤵
- Process spawned unexpected child process
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhostd" /f1⤵
- Process spawned unexpected child process
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsv" /f1⤵
- Process spawned unexpected child process
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsvs" /f1⤵
- Process spawned unexpected child process
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "smss" /f1⤵
- Process spawned unexpected child process
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "smsss" /f1⤵
- Process spawned unexpected child process
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsm" /f1⤵
- Process spawned unexpected child process
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsml" /f1⤵
- Process spawned unexpected child process
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "csrss" /f1⤵
- Process spawned unexpected child process
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "csrssc" /f1⤵PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsm" /f1⤵PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "lsml" /f1⤵PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsv" /f1⤵PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsvs" /f1⤵PID:2988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
345B
MD579a3e3eeb67d3edb02af27b72bd75321
SHA1f4625739a92dd23b631c8bc23926e8a60c43e279
SHA256851c6f81f9c0ea6170677086a0984120b1aca6040798674a8b6e26e3b333fd9b
SHA512cb629955b83ed25bacfcd6707ab818c376603b559c9c7a25a185aa962cd5801fd703b5409de7acb40f371288ddf94621c1e4df7c3a3e542e97e6f273a6660650
-
Filesize
849B
MD57445351786bd3cf0ebd2c2b5ef9062c4
SHA13c4b409cfe491042a9dd831808d260c5a3b5c3c6
SHA25616aaaeb4d431d11ec24506018c352f616467a509548552a9ba803d2f7696f03a
SHA5125a3e3450b00295395b9324124da560fa6f768e53459d736b24c5d02ba436c51bd27b8644e1baf6d131e6501ee77bb723f3441e2ba019935829c7d5ba5a3c37f0
-
Filesize
174B
MD5ce156a0b1c72f3f79a24f4f23ae67c05
SHA1992dbcd97efd63858e318a2a98ef2fab4ef23e9c
SHA25685cc25acef14e7d68089867d8d03311a90051d72466109bff496af9987f7ede1
SHA512da2984456fae1b4862f41b83331151149d34923169305b70b3ccb28289f24babbfdafaaca9649ea19a3b13875dc4e9808d298fb9f6c9bf8687fc47d217994ce2
-
Filesize
140B
MD5580a8e263196690afa5c429cb74244b8
SHA1d6202a12f60f4a2f9fca4731c833186a3f6c042f
SHA25673b6054a682a4d3d2fb6a563a1c2941ec1870ecd81ca94c45423cdb14fe7ad64
SHA512a553d164c154804e8075e1d5dcef6290e6c62ae5d0d27db7f5f1fcfd8b0702cb9c2f2fcd45b568add3dbdcd415a11d43ba3b12a302b3bedc5972ea8093e3ad60
-
Filesize
222B
MD50f91eeb84dce2aa1ebd5a2994a17cb7a
SHA1d563b8bc8baf522f6fe439d7c51bda45351c37e9
SHA2566213d0e65dd80c966f424a16849ff5f9c2382e7877d1210bc081aa9f1e0c5727
SHA5121502d5468fa5507e0d4e8584b1008df79340a5c2f933563e8e4813cccf04bacafe1eccb011e099294f4347b0b45dfed39c743f16c8d4e4be69195dcbffbe1d74
-
Filesize
485B
MD5949a215f98fd1f7395bd0f06a3786032
SHA1c5a0d40f88838f393f0b178e03854363bb9e610f
SHA2564d0bf02924dd346cc2457dbb40494e5690f33a8b1fcbd79c35f158879c0305c2
SHA512ba504d29d6189050cb5696d836f8493f4d040526b9529025d28b7c59b3a28603eca394d9fdef41d16b05811b5dd9bceeda27b10cc80ffda74ab16efe1b87b57a
-
Filesize
255B
MD5ce4a512a2c58bba98729f49c51708e61
SHA1ccd59ce6b3c57c990f517a230e840d90257f078d
SHA25613ebf0b0fa972539c5b04155ff1bf4fcaf15e83b01f25b99aee9017bc0211f65
SHA51202558040d751f88ddac7d628e35298e2d3ee8d16f27dcd9818ca48980d9da5c5ae3250962776a88caa31598605af115813c6d998f35843f6989862aceaf3ee31
-
Filesize
708B
MD5c5d202211ff88e7e0dbe470f032b2ba0
SHA10a547f9e91c39c3f0e53b8d46c41e3793f9f9169
SHA2560cbefad56c6141b03d375349d56d292de6d8f1fd3f149008b9df25cb65f41e35
SHA5127ae5fbf97050f76cc6208acb0a13b3140bc4854e2a13e3eda8e66c061f8f2e3699ac9f29e7c4b4b67e147b8db36276adc2d3eed45768c1834c1e086e0a044d17
-
Filesize
484B
MD5cff7cf832ab47a76414c576e5db3158a
SHA1dad16bea43d57a2f5609427907cd6822e105d93c
SHA25692ead13ab9c261536d17ebe20fa16f6993200e69db9bdf6edb746d031c6489cb
SHA5123e9c462699f6afacfca1e36a1de373f78134e00d2743f8d583c4455b165cdc7651f87a41a35d87654ab1ddcf2273067d9bae8713819dba7d50137fb35635ad15
-
Filesize
378B
MD5c8ccb57b827e7808987f3a72338aa0a7
SHA1ca9c3380959fca112455fed50f0436836fee02be
SHA2565473ef49447c729790cc3f871e2c6550bdddff4047c82e8d1384c9354eaccad1
SHA512e76a9b98fa681c69d69da19ce84ef38a2c77d153fc87f25abd1ebbbf07609af469894d6c57efced68277a850c81cbab45c8636ff90a7905fb9491a962c25fffc
-
Filesize
770B
MD5483293cdff6705336846afc9bb41219b
SHA1a65f7d2b8defcf095aafce690ee7a07e8bd09b46
SHA25625a40b6c382b886b313d97c2d28f8fe8897dbca1f18694deb4fc4f166f9a7926
SHA512ef432d5aff5e84cbc6705fcc61fe2f4722d0388de2c64026ee78cf1544b5024ee4df02844d11c551928acc5ef8bdd2dc39e3a36714ef33e4f793887dc80f7ad6
-
Filesize
804B
MD5db726b6c98fab37ecc15ee38db003995
SHA12c82b82c39b888a0eaea3ee07033b18a9142e7e1
SHA256078522288fa7b990dd5487f2644206ed1e13ec323d79d82184d978ee09f9fc0a
SHA512182c25fda1e189297b9cc1dcffa760417db0a1e613d63a5f64bfe997b0a24ffceb85884cb5597f8a80642eb9810a150a2f1d42c71d76af11cee323d017bf40c5
-
Filesize
245B
MD5dd69a4d47560c1b488641f1ff4d6083a
SHA164950ad1970471eae3e16e3c0df5d72970e0a59b
SHA256e9b15099fd01dfc6334276c27b8d90353ea29e030ffa046428c366c126fa4ac0
SHA51274a6c957924980156327d5e8da3aaacf8d40bf21b7748a7cf582dbf2249f2288f34e419afc5319eb1526aad4e21f5d8bba12684a75b0be09b28a8c8419d36f69
-
Filesize
967B
MD5fb653a64037487546ff6e5492fbefa0d
SHA1d033015851d5e249971712a74e2a4861a76c854a
SHA256f662c9d47ec5031b8545482d6b27e8054d947c840902bed57c9dd67eb21fff3e
SHA51209bcbea1eeb62888966e0980138b98fd38c11163db6442a383166a925dc3c4df032fa22ebe2d9bb827a31a60e7738cb5ff342b39fda4c1ed5e5a63f6b4e164f1
-
Filesize
681B
MD569521eff073f08bbad5ca7d2f9b131f5
SHA17e48c316875f6eb2686d116ca78696ad48a4ba6b
SHA25619a444711a33ff507bd693bff214c263659f97fef5761ab1db19a20304ae8a94
SHA5122421867c3e842977769422a34d5d31da39555f40c81e3b9faadf90bf5b8fc68a36bc533e7d7f35efc79cf83b388b511701600d094f744cd745e76003e60f4915
-
Filesize
206B
MD5e986ea5d4cac976a6de65d3f1ef8b332
SHA16465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA2563ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11
-
Filesize
32B
MD5a0b9b0891c2cae67cd1beae705d09d4f
SHA1997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA25613593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb
-
Filesize
1.6MB
MD59a0cee5a5ce317b7a70f88bb6aaa49e1
SHA195a779063656075a8ddc2f2164393fa59e3c93d9
SHA256701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4