Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 11:24
Behavioral task
behavioral1
Sample
DCrat.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
DCrat.exe
Resource
win10v2004-20240709-en
General
-
Target
DCrat.exe
-
Size
3.7MB
-
MD5
22cc90f49c151e2b37d98947d4fc7390
-
SHA1
2838b3e4d3d67bd9af50535130c017f3f0e03e61
-
SHA256
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
-
SHA512
12eae0f34661ed05742cd183dc4225949004a60d59487d9771b6789482a71821560b3ffd1c81cdb4d5cd2e289f3843b91bfdb65379810b4200c03778c9e44b22
-
SSDEEP
98304:Ubtsvkrdch4OslTJ64XIQB3MjkbFw6kzGYn:UJs8rCrsp44XIq3qztn
Malware Config
Signatures
-
DcRat 34 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeportruntimesvc.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1468 schtasks.exe 2668 schtasks.exe 1064 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA portruntimesvc.exe 1456 schtasks.exe 2128 schtasks.exe 2244 schtasks.exe 2572 schtasks.exe 1528 schtasks.exe 2920 schtasks.exe 1896 schtasks.exe 2088 schtasks.exe 940 schtasks.exe 2856 schtasks.exe 2116 schtasks.exe 2184 schtasks.exe 1816 schtasks.exe 2288 schtasks.exe 1608 schtasks.exe 1972 schtasks.exe 868 schtasks.exe 608 schtasks.exe 2456 schtasks.exe 588 schtasks.exe 2140 schtasks.exe 1408 schtasks.exe 2364 schtasks.exe 1676 schtasks.exe 2948 schtasks.exe 1952 schtasks.exe 1424 schtasks.exe 2176 schtasks.exe 2056 schtasks.exe 2208 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 11 IoCs
Processes:
portruntimesvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Default\\Downloads\\taskhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\", \"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\"" portruntimesvc.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2392 schtasks.exe -
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exeportruntimesvc.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Processes:
resource yara_rule \HyperSurrogateContaineragentWin\portruntimesvc.exe dcrat behavioral1/memory/2580-18-0x0000000000FF0000-0x000000000135A000-memory.dmp dcrat behavioral1/memory/1112-83-0x0000000000830000-0x0000000000B9A000-memory.dmp dcrat behavioral1/memory/652-95-0x00000000010E0000-0x000000000144A000-memory.dmp dcrat behavioral1/memory/2524-120-0x0000000000040000-0x00000000003AA000-memory.dmp dcrat behavioral1/memory/2668-132-0x0000000000390000-0x00000000006FA000-memory.dmp dcrat behavioral1/memory/572-145-0x0000000000030000-0x000000000039A000-memory.dmp dcrat behavioral1/memory/2116-157-0x0000000000AF0000-0x0000000000E5A000-memory.dmp dcrat behavioral1/memory/2648-171-0x0000000000D70000-0x00000000010DA000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 13 IoCs
Processes:
portruntimesvc.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exepid process 2580 portruntimesvc.exe 1112 wscript.exe 652 wscript.exe 2256 wscript.exe 2524 wscript.exe 2668 wscript.exe 572 wscript.exe 2116 wscript.exe 2648 wscript.exe 1084 wscript.exe 2412 wscript.exe 832 wscript.exe 2136 wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2696 cmd.exe 2696 cmd.exe -
Adds Run key to start application 2 TTPs 22 IoCs
Processes:
portruntimesvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Portable Devices\\dllhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\HyperSurrogateContaineragentWin\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\HyperSurrogateContaineragentWin\\WmiPrvSE.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Downloads\\taskhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\wscript.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\services.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Downloads\\taskhost.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\winlogon.exe\"" portruntimesvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\"" portruntimesvc.exe -
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exeportruntimesvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA portruntimesvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
portruntimesvc.exedescription ioc process File created C:\Program Files\Windows Portable Devices\dllhost.exe portruntimesvc.exe File created C:\Program Files\Windows Portable Devices\5940a34987c991 portruntimesvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1952 schtasks.exe 2140 schtasks.exe 2088 schtasks.exe 2948 schtasks.exe 2456 schtasks.exe 1972 schtasks.exe 2056 schtasks.exe 2288 schtasks.exe 1896 schtasks.exe 1468 schtasks.exe 868 schtasks.exe 2128 schtasks.exe 1676 schtasks.exe 608 schtasks.exe 1064 schtasks.exe 2572 schtasks.exe 2364 schtasks.exe 1608 schtasks.exe 2856 schtasks.exe 1408 schtasks.exe 2244 schtasks.exe 1816 schtasks.exe 1424 schtasks.exe 1456 schtasks.exe 2116 schtasks.exe 2176 schtasks.exe 2668 schtasks.exe 588 schtasks.exe 2184 schtasks.exe 2208 schtasks.exe 940 schtasks.exe 1528 schtasks.exe 2920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
portruntimesvc.exewscript.exewscript.exepid process 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 2580 portruntimesvc.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 1112 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe 652 wscript.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
portruntimesvc.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription pid process Token: SeDebugPrivilege 2580 portruntimesvc.exe Token: SeDebugPrivilege 1112 wscript.exe Token: SeDebugPrivilege 652 wscript.exe Token: SeDebugPrivilege 2256 wscript.exe Token: SeDebugPrivilege 2524 wscript.exe Token: SeDebugPrivilege 2668 wscript.exe Token: SeDebugPrivilege 572 wscript.exe Token: SeDebugPrivilege 2116 wscript.exe Token: SeDebugPrivilege 2648 wscript.exe Token: SeDebugPrivilege 1084 wscript.exe Token: SeDebugPrivilege 2412 wscript.exe Token: SeDebugPrivilege 832 wscript.exe Token: SeDebugPrivilege 2136 wscript.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DCrat.exeWScript.execmd.exeportruntimesvc.execmd.exewscript.exeWScript.exewscript.exeWScript.exewscript.exeWScript.exewscript.exeWScript.exedescription pid process target process PID 2712 wrote to memory of 2956 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2956 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2956 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2956 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2428 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2428 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2428 2712 DCrat.exe WScript.exe PID 2712 wrote to memory of 2428 2712 DCrat.exe WScript.exe PID 2956 wrote to memory of 2696 2956 WScript.exe cmd.exe PID 2956 wrote to memory of 2696 2956 WScript.exe cmd.exe PID 2956 wrote to memory of 2696 2956 WScript.exe cmd.exe PID 2956 wrote to memory of 2696 2956 WScript.exe cmd.exe PID 2696 wrote to memory of 2580 2696 cmd.exe portruntimesvc.exe PID 2696 wrote to memory of 2580 2696 cmd.exe portruntimesvc.exe PID 2696 wrote to memory of 2580 2696 cmd.exe portruntimesvc.exe PID 2696 wrote to memory of 2580 2696 cmd.exe portruntimesvc.exe PID 2580 wrote to memory of 692 2580 portruntimesvc.exe cmd.exe PID 2580 wrote to memory of 692 2580 portruntimesvc.exe cmd.exe PID 2580 wrote to memory of 692 2580 portruntimesvc.exe cmd.exe PID 692 wrote to memory of 924 692 cmd.exe w32tm.exe PID 692 wrote to memory of 924 692 cmd.exe w32tm.exe PID 692 wrote to memory of 924 692 cmd.exe w32tm.exe PID 2696 wrote to memory of 1016 2696 cmd.exe reg.exe PID 2696 wrote to memory of 1016 2696 cmd.exe reg.exe PID 2696 wrote to memory of 1016 2696 cmd.exe reg.exe PID 2696 wrote to memory of 1016 2696 cmd.exe reg.exe PID 692 wrote to memory of 1112 692 cmd.exe wscript.exe PID 692 wrote to memory of 1112 692 cmd.exe wscript.exe PID 692 wrote to memory of 1112 692 cmd.exe wscript.exe PID 1112 wrote to memory of 1908 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 1908 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 1908 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 2956 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 2956 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 2956 1112 wscript.exe WScript.exe PID 1908 wrote to memory of 652 1908 WScript.exe wscript.exe PID 1908 wrote to memory of 652 1908 WScript.exe wscript.exe PID 1908 wrote to memory of 652 1908 WScript.exe wscript.exe PID 652 wrote to memory of 1196 652 wscript.exe WScript.exe PID 652 wrote to memory of 1196 652 wscript.exe WScript.exe PID 652 wrote to memory of 1196 652 wscript.exe WScript.exe PID 652 wrote to memory of 1492 652 wscript.exe WScript.exe PID 652 wrote to memory of 1492 652 wscript.exe WScript.exe PID 652 wrote to memory of 1492 652 wscript.exe WScript.exe PID 1196 wrote to memory of 2256 1196 WScript.exe wscript.exe PID 1196 wrote to memory of 2256 1196 WScript.exe wscript.exe PID 1196 wrote to memory of 2256 1196 WScript.exe wscript.exe PID 2256 wrote to memory of 1760 2256 wscript.exe WScript.exe PID 2256 wrote to memory of 1760 2256 wscript.exe WScript.exe PID 2256 wrote to memory of 1760 2256 wscript.exe WScript.exe PID 2256 wrote to memory of 668 2256 wscript.exe WScript.exe PID 2256 wrote to memory of 668 2256 wscript.exe WScript.exe PID 2256 wrote to memory of 668 2256 wscript.exe WScript.exe PID 1760 wrote to memory of 2524 1760 WScript.exe wscript.exe PID 1760 wrote to memory of 2524 1760 WScript.exe wscript.exe PID 1760 wrote to memory of 2524 1760 WScript.exe wscript.exe PID 2524 wrote to memory of 1932 2524 wscript.exe WScript.exe PID 2524 wrote to memory of 1932 2524 wscript.exe WScript.exe PID 2524 wrote to memory of 1932 2524 wscript.exe WScript.exe PID 2524 wrote to memory of 1016 2524 wscript.exe WScript.exe PID 2524 wrote to memory of 1016 2524 wscript.exe WScript.exe PID 2524 wrote to memory of 1016 2524 wscript.exe WScript.exe PID 1932 wrote to memory of 2668 1932 WScript.exe wscript.exe PID 1932 wrote to memory of 2668 1932 WScript.exe wscript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exeportruntimesvc.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" portruntimesvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCrat.exe"C:\Users\Admin\AppData\Local\Temp\DCrat.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\bGPSMCCx73WsREqaBZfJC0ze9BBQbq.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HyperSurrogateContaineragentWin\Trh5bm.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\HyperSurrogateContaineragentWin\portruntimesvc.exe"C:\HyperSurrogateContaineragentWin\portruntimesvc.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XuKa62DI0l.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:924
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d04892-a3cf-4ca5-82b3-6f932380e804.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e6a87f-6ead-4114-9d9b-bbe2df5a2cf0.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96410553-6d5d-477c-a835-db803e91f8e3.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d1e7de-0093-4918-a3ef-6d7dc342c204.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833958fd-ae7c-4c63-8431-3c6e2f8c1eec.vbs"15⤵PID:1120
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0169f93b-8112-43ff-aead-313c69d8efab.vbs"17⤵PID:2368
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe45706-d2c8-4d96-a437-a69ad62542dd.vbs"19⤵PID:1520
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd872ec3-cd30-4ecf-8699-1b2b3b7a8de5.vbs"21⤵PID:2524
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84656bd3-bdf1-4d14-ab39-fbe4374bd092.vbs"23⤵PID:2600
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2412 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ead3c224-1cfe-4fee-b25c-48b10cce21f8.vbs"25⤵PID:1468
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:832 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1abfda-a1df-48eb-9764-3ecd88b91804.vbs"27⤵PID:2164
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe"28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2136 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccd7564f-3d5a-4cfa-acba-72e59a949530.vbs"29⤵PID:1800
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c180b9d5-2b83-4517-8dc2-73ed8a4b6df6.vbs"27⤵PID:2920
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3951f787-844e-441d-bf8f-dcce7fe3e8e0.vbs"25⤵PID:2984
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9f2b4e-0187-4572-bef1-4f4b1679bda8.vbs"23⤵PID:1708
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ae3d1a-07ec-46c5-9a4f-3d220644da4e.vbs"21⤵PID:1464
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2916988c-3199-4cc0-b53b-cdb1a886867c.vbs"19⤵PID:2224
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b84ffa6-f791-43fd-bf44-7ac2d82a8451.vbs"17⤵PID:2260
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea01abc8-dfd6-4f25-9b30-56f4291a8c25.vbs"15⤵PID:2780
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f789bacc-9843-442a-8bb0-ed8c384b8890.vbs"13⤵PID:1016
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4275a316-a08c-4244-ba51-0bcd3e2b0200.vbs"11⤵PID:668
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c9f1cb-ca87-4d0b-9a54-d6ad648e5257.vbs"9⤵PID:1492
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49fc3cb3-6b85-4d6f-80a1-aaef0fad8954.vbs"7⤵PID:2956
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperSurrogateContaineragentWin\file.vbs"2⤵PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\HyperSurrogateContaineragentWin\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\HyperSurrogateContaineragentWin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD544e4cd0532339b7e22611a09c8220999
SHA18f742acb720ef17baa41ef700c29a3af5582bef9
SHA256d4ecf707a041c14ab6e6719b4c0bcdea96c159865ff6ef80fd73de0b26b695c8
SHA512f10dfda0fc0021f642fc0689a8d217052e50c9e58d1057c2f26005df0433e3af54ac77331d9059746804ddb72589f0e4ec3f50c53b1576efb09134e2aa691809
-
Filesize
214B
MD5bbd4951dfa4c586309c29313a1acc7b9
SHA1b16961014ff484fee5c5548506fa9f8786ead667
SHA256e6a2ee525011550a1508f69a603a3b485e35ec89b9783171cff58a4adccb1fee
SHA5125a7985a58c283240a7c999521a14a8befe71db33d9023f06a78870c663fefbfeac5b9acafc114937ea44ddffb97bad88c448a0c2d025aa21f73d7941b3aaa50e
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
749B
MD565b3b4aa49b4a0c4a0410055538c7bbc
SHA1e8347ca00048fae68a26375d4309625cade3a666
SHA2562b636aae5d1738676c6a22375b23868fcf870eec84b3d77779fd23a19a296582
SHA512509d5ead7392bcfc8f62e8a8bd4d87769f02d5bb7b82ebb285803f1609de87a32b6071e24b5a01852323a760ad9b6e1088a3b028c62510a47ec1258735d700a2
-
Filesize
750B
MD5d85c78936c5e8cca91bf0bb7af9b2c06
SHA1b34077cc9926ad690281a6c25723f82db8005115
SHA256f9a09398ffcc6c2a684e6ca3d601a898d90750d167c8dbc057e25148b2ee68b3
SHA51283fbd6d49370a92298f5943c9721c0309f983a4515f18a995bbe25c89cbe90e6248bc75da844dfb1ee6a41b0d3ba97bb84b0937775840b1babc384020380c090
-
Filesize
750B
MD56d3be6c7f1bd4743469eec7906e11631
SHA1c0aa9813de28c7502b9c908bb5dccac5eedc3343
SHA256dba993ed3150c7677f9f6e07deea099c4bbb558842d2076657269920af46354e
SHA512e1d5794c47e0e3e74f09fabc1f9f824b40de8694de7ea180928d70136e324927148135bc51e5586cdd370157617bbce409b4150fdf64382cd04fc840638fde35
-
Filesize
526B
MD5543ef82b4c75e7c93e165ccf0b2ce9bd
SHA147bf3c7dcaa4396e7373594a8993455f75d25245
SHA2563773c8c5f6df445c1405d2437642209da2c378ba5f1c598e6cfdd137fadff378
SHA51289798362ddcc95213a5e5d9c13332b000a5691eded97d7c48548d7cce9da077a609633381a40e9451864d1b712c59a064a9d180c6883984eeead477ee160e97b
-
Filesize
750B
MD537fd340796610b5572ce8922f5e1cd0e
SHA1168b9fee896bd633bb0ba21f2ce8a453783618d7
SHA2567d5509a449f7ad43b6ba0ee1eceff8893f2fbecff8a1dcde94ce70e715dccaea
SHA512abf9113abf360ac08f18a94b91014dbf141e081556e82e7cccd536a615b722a5253a2b16d3d3ca5e5e44d4cd371c14dcc0914c8212a77c0c3d9c81e429444308
-
Filesize
750B
MD59f96ddddfef265c387d71542d9900b31
SHA1fa581913fea04ec7d46b7a3b67a833f7523df01a
SHA256561cc98c5ace3e628d4b54e06302bcf6607c384c6c788dbf269c773edd236f01
SHA5128f3fdba0a29c09b1ce58306a5ed3c1936a41f0d6ea585d6421819b276d62db2d1a1175f3352d0b7cbacf9d1e872367ae0db488e3ca125d94c7a3aebcddf8b9a0
-
Filesize
750B
MD5b5a24a28cb230950fe5d1c48d59da522
SHA1ec633297dcb824571f6515c3cd926204e49e9fa6
SHA2569afb1e8f14a56c91056b79f2b5daddff25977a0b4e14cadf2c9375e594b10701
SHA51264bf9aa29a018a22a918ff9a14efa3077b360fac1e9bcdead8f1ca2fe7c2a0444c0b1b6d0fa8c87dada2e7fa411e62068e85189f260f50f05951f4dd0853b68a
-
Filesize
239B
MD5b1d989e9c11b1f3e3859987a0696cbaa
SHA1cdfa7340821a57337ea3e5f681a5683ca8b2e6c3
SHA2561ef3c0ef22b0f7c39e78898d8886fd76cf5f7dbf61397611adad4701f5a67f06
SHA512811c21595c6786803f8d4ab1f63c373430fa805d5525604392e9d5bfeba6dd6250cdf44e8c427c6c5e4178c9187c06b98043525c2e612f56795478c0282b0d7a
-
Filesize
749B
MD5a1b12939762088fded3d179f153bb2b9
SHA18fcf054aff4f8b57b49b5cb770168dcee661e256
SHA2560339e31c0dc1d3c1a311096defaef306c96b6ceb2bcf2d82fca0d0d6c266c90f
SHA512e9de3087da7432c09931b2ec304da0697c18cb9460cfe7c1a8eabccb431a671026ac62a6f33267bd3c977e9cfc27769411d6a92dc7c7aaff409c11ff55860282
-
Filesize
749B
MD5833b3c846b13ee840ba5e49c66fd33f3
SHA11233c4280077e82b14acc71d1fcaaf91d036048c
SHA2562ccf1e6499cf00c932da4e6c3b312497229ad0dc3fd15d2febca9eac68828800
SHA5129863cbe139c58baece5d645c8eecf24bf0d7cbc57d37b09cc614ef9ea06cdfce6ebe0496d6c3ba0f3ae9f06f875125fc7a5026e9ac65c4eb39322a9ed774e4a1
-
Filesize
750B
MD5ad9e133e10582d3c9f2fbb71f8e78418
SHA1172a6f27fba6e37e2eb6437cdb4901ca58304e79
SHA2560439f8e4e68a01cfd210beb32f627ac4b2217d05f3c660ea8fec5ccb7a0b0076
SHA51240ce8820f665cd6e180303f28fd8a8a393cec78e0cd15fb3f032fd7c8e3026d085416ce37786c8a17498f67f018fca1c61e3d391a5e8c99ab83088615b3bc5d9
-
Filesize
750B
MD5b0fd572fc21f986e2c9792b9a5fe0908
SHA147a2fde4c9c65981ee6e1c79c14a6d428b4a349a
SHA256e4593c695159ca856ec4b8a13523be6dc00f3f2e82597f91e32e6fb5569164c9
SHA5126928dad3dcbed0e13efe3559fbbdc9f8a1e9fc0d16d3b0dca216c6463ce39d1f2ed8b2328bad923b25f4adc75c8ae11a1312dddb202a44df89a3c50d2cb75cc2
-
Filesize
750B
MD5787a1efd4f21a9c8ffd61ea156cc69d1
SHA1f38f3aad75291f58f2c5108532be32560ea4ab7d
SHA256f5227df90f087f50795a9dca1e2a3a816c1858305b9f760fe659bca2d960c71b
SHA5124f014d2c91b02d139200e63326a80dfdfd04a815d6f2c688a06cf2d114c63ebcbaaf39d8c691fe9feb358ad5f601772102b1e1887100fdd3ff1ebc83adcec516
-
Filesize
3.4MB
MD53ae60214e5dd15829d6380f5dcaac75c
SHA1c4ff1e0ef5b97b467b28039b3b902b088107ebae
SHA2561a38cd5a9e8fb8086a6f84ac2bbac0ded061766fcdf3a25a1e6147a400cb8b39
SHA512816f2e195827abe524d3ffe3c87ee6a5e02289c2fad1a5ed5b5751ecc356998b61b9638c65b7db7f231a3bc50c002995823755650a703cae12aa9decf4c995ac