Analysis
-
max time kernel
598s -
max time network
603s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
21-07-2024 12:35
General
-
Target
Dast.Hack.exe
-
Size
3.3MB
-
MD5
062d2db533784ab458d45b9bbdd59e28
-
SHA1
66e2ec6e8c6ec3f6d47a4a08eb08790e1f9b80ce
-
SHA256
8299f38454d692ddb4154b8beda82486d92bbcaec91139a18f70ef476d7d9727
-
SHA512
335739dd9f92575d5369eb836e04f8aa4a302857cb9e5a9c26ffddd2f5842b77c264341a5963a1efc8b2e63b6490fbd47392ddc712f188a986fcb9499ff4148d
-
SSDEEP
49152:UbA30MYh4gIPIBXyjBVVIfVl+rf9LTewShH16PScTtMf6ajJPgqk5lZtH:Ub/gQBnoRT6EPS0t66KOlZtH
Malware Config
Signatures
-
DcRat 26 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSavesruntimeperf.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeDast.Hack.exeschtasks.exeschtasks.exeschtasks.exepid process 1668 schtasks.exe 3196 schtasks.exe 2284 schtasks.exe 4548 schtasks.exe 4388 schtasks.exe 392 schtasks.exe 4256 schtasks.exe 4188 schtasks.exe 3000 schtasks.exe 4584 schtasks.exe 2348 schtasks.exe 4664 schtasks.exe 2448 schtasks.exe 2664 schtasks.exe 4776 schtasks.exe File created C:\Program Files\Google\5940a34987c991 Savesruntimeperf.exe 3888 schtasks.exe 2276 schtasks.exe 4472 schtasks.exe 5040 schtasks.exe 4768 schtasks.exe 4948 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings Dast.Hack.exe 380 schtasks.exe 4752 schtasks.exe 4612 schtasks.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 4244 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 4244 schtasks.exe -
Processes:
sysmon.exeSavesruntimeperf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe -
Processes:
resource yara_rule C:\refcommon\Savesruntimeperf.exe dcrat behavioral1/memory/3608-14-0x0000000000380000-0x0000000000680000-memory.dmp dcrat -
Executes dropped EXE 6 IoCs
Processes:
Savesruntimeperf.exesysmon.exeexplorer.exesysmon.exeShellExperienceHost.exeRuntimeBroker.exepid process 3608 Savesruntimeperf.exe 3688 sysmon.exe 1416 explorer.exe 2300 sysmon.exe 1868 ShellExperienceHost.exe 3868 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Savesruntimeperf.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Savesruntimeperf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Savesruntimeperf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io 8 ipinfo.io -
Drops file in Program Files directory 11 IoCs
Processes:
Savesruntimeperf.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\Triedit\121e5b5079f7c0 Savesruntimeperf.exe File created C:\Program Files\Google\dllhost.exe Savesruntimeperf.exe File created C:\Program Files\Windows Mail\en-US\f8c8f1285d826b Savesruntimeperf.exe File created C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe Savesruntimeperf.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe Savesruntimeperf.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 Savesruntimeperf.exe File created C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe Savesruntimeperf.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe Savesruntimeperf.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\9e8d7a4ca61bd9 Savesruntimeperf.exe File opened for modification C:\Program Files\Google\dllhost.exe Savesruntimeperf.exe File created C:\Program Files\Google\5940a34987c991 Savesruntimeperf.exe -
Drops file in Windows directory 2 IoCs
Processes:
Savesruntimeperf.exedescription ioc process File created C:\Windows\Performance\winlogon.exe Savesruntimeperf.exe File created C:\Windows\Performance\cc11b995f2a76d Savesruntimeperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
Dast.Hack.exeSavesruntimeperf.exesysmon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings Dast.Hack.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings Savesruntimeperf.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings sysmon.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4188 schtasks.exe 4752 schtasks.exe 4776 schtasks.exe 2284 schtasks.exe 392 schtasks.exe 2448 schtasks.exe 4948 schtasks.exe 3196 schtasks.exe 4768 schtasks.exe 2276 schtasks.exe 4584 schtasks.exe 4612 schtasks.exe 2348 schtasks.exe 4664 schtasks.exe 3888 schtasks.exe 3000 schtasks.exe 4548 schtasks.exe 2664 schtasks.exe 1668 schtasks.exe 380 schtasks.exe 5040 schtasks.exe 4388 schtasks.exe 4256 schtasks.exe 4472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Savesruntimeperf.exesysmon.exepid process 3608 Savesruntimeperf.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe 3688 sysmon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sysmon.exepid process 3688 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Savesruntimeperf.exesysmon.exevssvc.exeexplorer.exesysmon.exeShellExperienceHost.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3608 Savesruntimeperf.exe Token: SeDebugPrivilege 3688 sysmon.exe Token: SeBackupPrivilege 2288 vssvc.exe Token: SeRestorePrivilege 2288 vssvc.exe Token: SeAuditPrivilege 2288 vssvc.exe Token: SeDebugPrivilege 1416 explorer.exe Token: SeDebugPrivilege 2300 sysmon.exe Token: SeDebugPrivilege 1868 ShellExperienceHost.exe Token: SeDebugPrivilege 3868 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Dast.Hack.exeWScript.execmd.exeSavesruntimeperf.execmd.exesysmon.exedescription pid process target process PID 4676 wrote to memory of 1232 4676 Dast.Hack.exe WScript.exe PID 4676 wrote to memory of 1232 4676 Dast.Hack.exe WScript.exe PID 4676 wrote to memory of 1232 4676 Dast.Hack.exe WScript.exe PID 1232 wrote to memory of 2372 1232 WScript.exe cmd.exe PID 1232 wrote to memory of 2372 1232 WScript.exe cmd.exe PID 1232 wrote to memory of 2372 1232 WScript.exe cmd.exe PID 2372 wrote to memory of 3608 2372 cmd.exe Savesruntimeperf.exe PID 2372 wrote to memory of 3608 2372 cmd.exe Savesruntimeperf.exe PID 3608 wrote to memory of 3192 3608 Savesruntimeperf.exe cmd.exe PID 3608 wrote to memory of 3192 3608 Savesruntimeperf.exe cmd.exe PID 3192 wrote to memory of 2584 3192 cmd.exe w32tm.exe PID 3192 wrote to memory of 2584 3192 cmd.exe w32tm.exe PID 3192 wrote to memory of 3688 3192 cmd.exe sysmon.exe PID 3192 wrote to memory of 3688 3192 cmd.exe sysmon.exe PID 3688 wrote to memory of 2264 3688 sysmon.exe WScript.exe PID 3688 wrote to memory of 2264 3688 sysmon.exe WScript.exe PID 3688 wrote to memory of 4744 3688 sysmon.exe WScript.exe PID 3688 wrote to memory of 4744 3688 sysmon.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
Savesruntimeperf.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Savesruntimeperf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe"C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\refcommon\a9qp8YhB09rgym.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\refcommon\o7w5u18.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\refcommon\Savesruntimeperf.exe"C:\refcommon\Savesruntimeperf.exe"4⤵
- DcRat
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aGmV56J0l0.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2584
-
-
C:\Users\Admin\sysmon.exe"C:\Users\Admin\sysmon.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3688 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7713eddd-0f40-46c5-8e92-5d873eaf0ff6.vbs"7⤵PID:2264
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9339de0-b4e6-4f83-90d4-ec96ba79574d.vbs"7⤵PID:4744
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe"C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe"C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3868
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701B
MD51e6b4b17995bb9b5cf16640ca78a6ed5
SHA10febbcf10da6c32c5d6f5d57085e724ee9a73153
SHA256d0c56b4fcd5e99fcc3c05aaefef2f338fb3cd74ecbf8ca0893ee0019e243f947
SHA5125d0b085c351ccc41fc2d826217af3a7ec92ce75a14f33002effbb501cfe153de10b8617f411fd0a433f098cb897aa6bf7a391d6d2000602bab6ff3e7ce91161e
-
Filesize
477B
MD55fecf589c3354566a4a8b4916ec517a5
SHA15ee5a7da2e97e695430fe362c228da5d8f5f06af
SHA256db9059a2a2e3c96a324e9cdabd78ad0a00d4cce4ab6b3a3b209f8b49b406647f
SHA512140f1779f1854fd0b3b9914bdbd500b7f08de305c7be72e85ad56807c33a29e4195284e5f0c1974dbfe0fa40e50b4a81d84ff9a61d91abc72e2c3a2dedcf0898
-
Filesize
190B
MD50a06dbba175d7edccc94d544bc1897d8
SHA19ece6924d9a18c6977dd75f5e70eed31657ad977
SHA25621a7702760538d02f267ebe43f9c84e9a2ab1bda219053ec8195e4d88b2fe17e
SHA5126d1096192a3bd5d38a67b78d4683888e4e2f20f5d796736a46ce33fcbbf8d23d1a2405ac0b59b6ea564821ad4920c33021393940ee977d7728fbb441d8c1e651
-
Filesize
3.0MB
MD517babc686738c7b611b9e9e028c8ef34
SHA18c959decebcb5544528e2a76f66e73c401e19be8
SHA2567cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
SHA512c7e2f881e6eb09e25c08c76b88b7626c768fb3e623b39b538e7b84f02fb6382bf5b4e0d66835c63cf59d1346e91b5bc3b60a6335bab90d5f185d81e5f9a52fe8
-
Filesize
193B
MD5e30dc1038a7664ab0f9623335243517e
SHA19466920ec01f531bac1f482635d03015c5d9981a
SHA25628103167be9475e1971ef47b77f1d115f814f1635060d2ce6e0d64f1ddf63300
SHA512f02d8034d9fbb2685540179f5d79f54dff68d73c7ed838999b49a9de67efd5385d1b51f1e4f81425ad126ef587de3096988c917069dc0beb71bef999cb8b36b3
-
Filesize
35B
MD523a21c6fd0af23b3a6b196ed1300a37c
SHA1247e674129a0414018bcb7b2aa5e12d4a2005f05
SHA25687957d0707f5768d0e6c920bfba23d2693189131d57418e04344153332555082
SHA5122cbfb8549d4ae49759ef9b5caaee02609cb1496f16e58d4bb2c28001ae2ed21a4a53cc06d47d9133164dde64f2e765c5a99f4ad0cdd25cc92442cf4a9aefc95c