Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 17:36

General

  • Target

    7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe

  • Size

    1.2MB

  • MD5

    76552f8bd7533c66bc900c75abdc0ea7

  • SHA1

    9a682fc922b82e6896c9892efb85687586963355

  • SHA256

    7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f

  • SHA512

    4479dc402d8f9ddf9d8fcb46d9a5048484e59e91b5f4c0b1efd6042ab287556fc028f5e3f0ae03856521bdc346613d848469732de77150719d14dfa3c5171b77

  • SSDEEP

    24576:sMYo92G/nvxW3Ww0tp6A3bEXxdhJGx+RYdVmX9ddqGC:/NbA30QArEX+x+en

Score
10/10

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe
    "C:\Users\Admin\AppData\Local\Temp\7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:2244
      • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
        "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
              "C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"
              5⤵
              • DcRat
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2636
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blvzfr8VOd.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2548
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:1600
                  • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
                    "C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"
                    7⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1728
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddgKr4kWhX.bat"
                      8⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1608
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2648
                        • C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe
                          "C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2916
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:1460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:688
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2024
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hostNet" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\hostNet.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\surrogatereviewRuntimebrokerMonitor\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\OSPPSVC.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2016
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1800
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1472
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2588
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
          1⤵
            PID:2252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:536
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:2944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Scheduled Task/Job: Scheduled Task
            PID:320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /rl HIGHEST /f
            1⤵
              PID:3004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2428
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:960
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\services.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1576
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\audiodg.exe'" /rl HIGHEST /f
              1⤵
                PID:328
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /f
                1⤵
                • DcRat
                • Scheduled Task/Job: Scheduled Task
                PID:1880
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                PID:944
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                PID:1492
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /f
                1⤵
                • DcRat
                • Scheduled Task/Job: Scheduled Task
                PID:2412
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Scheduled Task/Job: Scheduled Task
                PID:1744
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                  PID:2488
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /f
                  1⤵
                  • DcRat
                  • Scheduled Task/Job: Scheduled Task
                  PID:2448
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
                  1⤵
                    PID:1752
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    PID:892

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

                    Filesize

                    102KB

                    MD5

                    c137c5f5287d73a94d55bc18df238303

                    SHA1

                    95b4b01775bea14feaaa462c98d969eb81696d2c

                    SHA256

                    d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

                    SHA512

                    ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

                  • C:\Users\Admin\AppData\Local\Temp\blvzfr8VOd.bat

                    Filesize

                    215B

                    MD5

                    0e151f4d7364edd0dfb3fcd2f75459e8

                    SHA1

                    22cd0191190a69c0064dd22342275e5bc82d0fd2

                    SHA256

                    696d54419ed0bc9ff58ede74b6d95e558a11dfbf19d4af3d9b47d002b1055c30

                    SHA512

                    bf50a468ddb7c78afe6480758e032add6f06334c362a188c28b0612999abdcd7f5bed6e24ac41649e542bab77b7a5e2e6b3730ebe61f0fc956f4cca61157b0c9

                  • C:\Users\Admin\AppData\Local\Temp\ddgKr4kWhX.bat

                    Filesize

                    226B

                    MD5

                    b4e6bf1bed5db613a889d39ddadb685c

                    SHA1

                    a538b9117cc8b4174f384cea59d32e6ec553d45d

                    SHA256

                    4e1a620756096a0db87feae584d2183751990e8dc79f7070fc673571f601dfd9

                    SHA512

                    42f9eb19d23dffd91b2c6849d2f196817253a3f67ae6ea000f929832cc21d1ddaeb972dec03cc30f994f59ceb786cbd72ef861e001092da2ec4a2fdc236bfe28

                  • C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe

                    Filesize

                    237B

                    MD5

                    67ef89a77b03bfa1932cc54db6dce88f

                    SHA1

                    a2afed6d40b91cb6d48a7023fea05c0853437050

                    SHA256

                    67b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30

                    SHA512

                    7bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652

                  • C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat

                    Filesize

                    52B

                    MD5

                    fbbcc9f113a6c0c84210f8550cffca28

                    SHA1

                    b3e94b80d166ad9c71260ce9674b7edd5d00aa25

                    SHA256

                    fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f

                    SHA512

                    f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8

                  • C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe

                    Filesize

                    827KB

                    MD5

                    bc8b1b7e6c72022131728dd99627e1d3

                    SHA1

                    0dcd162ee7a24204fb032b5e02d3f99c185e82bf

                    SHA256

                    60e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a

                    SHA512

                    9dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340

                  • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

                    Filesize

                    1.1MB

                    MD5

                    d5073e19a3ad042b1f759bcd13a65a3f

                    SHA1

                    9df8b87566284b169e56ee4a8b78d72ce2e3e5aa

                    SHA256

                    28aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b

                    SHA512

                    89c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e

                  • memory/1728-64-0x0000000000FD0000-0x00000000010A6000-memory.dmp

                    Filesize

                    856KB

                  • memory/2392-10-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2636-27-0x0000000000970000-0x0000000000A46000-memory.dmp

                    Filesize

                    856KB

                  • memory/2636-100-0x00000000001F0000-0x00000000002C6000-memory.dmp

                    Filesize

                    856KB