Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 16:00
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
2.0MB
-
MD5
6e4e01af6b88116f0c7331bba5e7b782
-
SHA1
756c0a5ea8aac86f41d118166452a011a608043c
-
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
-
SHA512
f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
SSDEEP
24576:jYe7C5QSBzoU/n15NuQtG+7IwzwT2wLqq12OBOa2WYO3QFSBztYSqEEU5oZUSzTO:jYemPM0tvmwGBF223ZztBqEqx9v
Malware Config
Signatures
-
DcRat 26 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
MalwareBazaar.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Program Files (x86)\Windows Media Player\System.exe MalwareBazaar.exe 2524 schtasks.exe 2556 schtasks.exe 3064 schtasks.exe 2000 schtasks.exe 1084 schtasks.exe 1656 schtasks.exe 1056 schtasks.exe 2196 schtasks.exe 2492 schtasks.exe 2636 schtasks.exe 1364 schtasks.exe File created C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0 MalwareBazaar.exe 1072 schtasks.exe 1632 schtasks.exe 588 schtasks.exe 2096 schtasks.exe 1860 schtasks.exe 2824 schtasks.exe 2092 schtasks.exe 2192 schtasks.exe 2856 schtasks.exe 624 schtasks.exe 2736 schtasks.exe 2568 schtasks.exe 1712 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\", \"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\", \"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\", \"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\wininit.exe\", \"C:\\Windows\\Migration\\lsm.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\", \"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\wininit.exe\", \"C:\\Windows\\Migration\\lsm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\OSPPSVC.exe\"" MalwareBazaar.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2640 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2640 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2284-1-0x0000000000AE0000-0x0000000000CEE000-memory.dmp dcrat C:\Users\Admin\Favorites\Windows Live\lsass.exe dcrat behavioral1/memory/428-36-0x0000000000BC0000-0x0000000000DCE000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
wininit.exepid process 428 wininit.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\System.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Favorites\\Windows Live\\lsass.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Migration\\lsm.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\OSPPSVC.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\fr-FR\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Migration\\lsm.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\System.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\audiodg.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\wininit.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\OSPPSVC.exe\"" MalwareBazaar.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Program Files directory 9 IoCs
Processes:
MalwareBazaar.exedescription ioc process File created C:\Program Files (x86)\Windows Media Player\System.exe MalwareBazaar.exe File opened for modification C:\Program Files (x86)\Windows Media Player\System.exe MalwareBazaar.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\886983d96e3d3e MalwareBazaar.exe File created C:\Program Files (x86)\Windows Sidebar\56085415360792 MalwareBazaar.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe MalwareBazaar.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\1610b97d3ab4a7 MalwareBazaar.exe File created C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0 MalwareBazaar.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\csrss.exe MalwareBazaar.exe File created C:\Program Files (x86)\Windows Sidebar\wininit.exe MalwareBazaar.exe -
Drops file in Windows directory 3 IoCs
Processes:
MalwareBazaar.exedescription ioc process File created C:\Windows\rescache\rc0002\lsass.exe MalwareBazaar.exe File created C:\Windows\Migration\lsm.exe MalwareBazaar.exe File created C:\Windows\Migration\101b941d020240 MalwareBazaar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2524 schtasks.exe 1084 schtasks.exe 2096 schtasks.exe 2856 schtasks.exe 2568 schtasks.exe 2556 schtasks.exe 1056 schtasks.exe 624 schtasks.exe 1860 schtasks.exe 1364 schtasks.exe 1072 schtasks.exe 3064 schtasks.exe 2196 schtasks.exe 2092 schtasks.exe 2824 schtasks.exe 1632 schtasks.exe 588 schtasks.exe 2192 schtasks.exe 2636 schtasks.exe 2492 schtasks.exe 2000 schtasks.exe 1656 schtasks.exe 2736 schtasks.exe 1712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
MalwareBazaar.exewininit.exepid process 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 2284 MalwareBazaar.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe 428 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MalwareBazaar.exewininit.exedescription pid process Token: SeDebugPrivilege 2284 MalwareBazaar.exe Token: SeDebugPrivilege 428 wininit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MalwareBazaar.execmd.exedescription pid process target process PID 2284 wrote to memory of 1168 2284 MalwareBazaar.exe cmd.exe PID 2284 wrote to memory of 1168 2284 MalwareBazaar.exe cmd.exe PID 2284 wrote to memory of 1168 2284 MalwareBazaar.exe cmd.exe PID 1168 wrote to memory of 2920 1168 cmd.exe w32tm.exe PID 1168 wrote to memory of 2920 1168 cmd.exe w32tm.exe PID 1168 wrote to memory of 2920 1168 cmd.exe w32tm.exe PID 1168 wrote to memory of 428 1168 cmd.exe wininit.exe PID 1168 wrote to memory of 428 1168 cmd.exe wininit.exe PID 1168 wrote to memory of 428 1168 cmd.exe wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P13wV4ygMl.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2920
-
C:\Users\Admin\wininit.exe"C:\Users\Admin\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\Windows Live\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Windows Live\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Windows Live\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191B
MD5f9eb67a73779abfd618d3c365068d60a
SHA12b192feb5bda80bc277f838e541b3fef35b1545a
SHA2560e045c2ed5e8d33f7889804e857b462eb47c450e7b650f7b6ea277ff87a23157
SHA5125f1be0718273c044225248554d187e162d95aff97e6fc534b3ab565a0ac44aa22504eb190da3d9b533f0f7efa88db92169def621fac908843f38464487d39408
-
Filesize
2.0MB
MD56e4e01af6b88116f0c7331bba5e7b782
SHA1756c0a5ea8aac86f41d118166452a011a608043c
SHA2565a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b