dcrat | 4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

Analysis

max time kernel
28s
max time network
32s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cs2SteamEmul.exe
Size

2.8MB
MD5

d48669a634489ed4baf9e84aedd9d2bd
SHA1

e7b7bdf6e10584eb07547e7237bd654b42abcf84
SHA256

4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666
SHA512

d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90
SSDEEP

49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score

10^/10

dcrat evasion infostealer persistence rat

Malware Config

Signatures

DcRat 36 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2572	schtasks.exe
1684	schtasks.exe
304	schtasks.exe
1820	schtasks.exe
1088	schtasks.exe
2080	schtasks.exe
948	schtasks.exe
2276	schtasks.exe
1536	schtasks.exe
1056	schtasks.exe
644	schtasks.exe
2620	schtasks.exe
1628	schtasks.exe
1148	schtasks.exe
1060	schtasks.exe
2700	schtasks.exe
2300	schtasks.exe
2928	schtasks.exe
2988	schtasks.exe
1568	schtasks.exe
1796	schtasks.exe
1804	schtasks.exe
1948	schtasks.exe
3036	schtasks.exe
600	schtasks.exe
2376	schtasks.exe
3064	schtasks.exe
2600	schtasks.exe
2848	schtasks.exe
1636	schtasks.exe
1540	schtasks.exe
648	schtasks.exe
1724	schtasks.exe
768	schtasks.exe
1044	schtasks.exe
2932	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\", \"C:\\ChainSurrogateref\\cmd.exe\", \"C:\\Windows\\Help\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\", \"C:\\ChainSurrogateref\\cmd.exe\", \"C:\\Windows\\Help\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Users\\Default\\Start Menu\\Idle.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\", \"C:\\ChainSurrogateref\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\", \"C:\\ChainSurrogateref\\cmd.exe\", \"C:\\Windows\\Help\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\", \"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\", \"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\", \"C:\\ChainSurrogateref\\cmd.exe\", \"C:\\Windows\\Help\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	hyperBrowser.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2920	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000018722-10.dat	dcrat
behavioral2/memory/2464-13-0x0000000000010000-0x00000000002A2000-memory.dmp	dcrat
behavioral2/memory/944-56-0x00000000010A0000-0x0000000001332000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2464	hyperBrowser.exe
944	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cmd.exe
2692	cmd.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Help\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\audiodg.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Help\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Start Menu\\Idle.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperBrowser = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ChainSurrogateref\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperBrowser = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Microsoft Games\\Hearts\\es-ES\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ChainSurrogateref\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Start Menu\\Idle.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperBrowser = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\hyperBrowser.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\cmd.exe\""	hyperBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperBrowser = "\"C:\\Recovery\\3c6609c2-3a8b-11ef-9675-d685e2345d05\\hyperBrowser.exe\""	hyperBrowser.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\hyperBrowser.exe	hyperBrowser.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\51b3f7860df0c6	hyperBrowser.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\taskhost.exe	hyperBrowser.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\b75386f1303e64	hyperBrowser.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	hyperBrowser.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	hyperBrowser.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\wininit.exe	hyperBrowser.exe
File created	C:\Windows\Help\explorer.exe	hyperBrowser.exe
File created	C:\Windows\Help\7a0fd90576e088	hyperBrowser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3000	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
1536	schtasks.exe
2700	schtasks.exe
2080	schtasks.exe
2928	schtasks.exe
1060	schtasks.exe
2620	schtasks.exe
2376	schtasks.exe
2300	schtasks.exe
2572	schtasks.exe
2988	schtasks.exe
1636	schtasks.exe
3064	schtasks.exe
2932	schtasks.exe
1684	schtasks.exe
304	schtasks.exe
644	schtasks.exe
3036	schtasks.exe
1796	schtasks.exe
2276	schtasks.exe
1724	schtasks.exe
768	schtasks.exe
1148	schtasks.exe
948	schtasks.exe
1804	schtasks.exe
1820	schtasks.exe
1056	schtasks.exe
1948	schtasks.exe
1088	schtasks.exe
600	schtasks.exe
2848	schtasks.exe
1044	schtasks.exe
1540	schtasks.exe
648	schtasks.exe
1628	schtasks.exe
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2464	hyperBrowser.exe
2464	hyperBrowser.exe
2464	hyperBrowser.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe
944	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	hyperBrowser.exe
Token: SeDebugPrivilege	944	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1072	2316	Cs2SteamEmul.exe	30
PID 2316 wrote to memory of 1072	2316	Cs2SteamEmul.exe	30
PID 2316 wrote to memory of 1072	2316	Cs2SteamEmul.exe	30
PID 2316 wrote to memory of 1072	2316	Cs2SteamEmul.exe	30
PID 1072 wrote to memory of 2692	1072	WScript.exe	31
PID 1072 wrote to memory of 2692	1072	WScript.exe	31
PID 1072 wrote to memory of 2692	1072	WScript.exe	31
PID 1072 wrote to memory of 2692	1072	WScript.exe	31
PID 2692 wrote to memory of 2464	2692	cmd.exe	33
PID 2692 wrote to memory of 2464	2692	cmd.exe	33
PID 2692 wrote to memory of 2464	2692	cmd.exe	33
PID 2692 wrote to memory of 2464	2692	cmd.exe	33
PID 2464 wrote to memory of 944	2464	hyperBrowser.exe	71
PID 2464 wrote to memory of 944	2464	hyperBrowser.exe	71
PID 2464 wrote to memory of 944	2464	hyperBrowser.exe	71
PID 2692 wrote to memory of 3000	2692	cmd.exe	72
PID 2692 wrote to memory of 3000	2692	cmd.exe	72
PID 2692 wrote to memory of 3000	2692	cmd.exe	72
PID 2692 wrote to memory of 3000	2692	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe
"C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ChainSurrogateref\xpD7eJ.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\ChainSurrogateref\hyperBrowser.exe
      "C:\ChainSurrogateref\hyperBrowser.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\cmd.exe
        
        "C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\cmd.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowserh" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\hyperBrowser.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowser" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\hyperBrowser.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowserh" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\hyperBrowser.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowserh" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\hyperBrowser.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowser" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\hyperBrowser.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperBrowserh" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\hyperBrowser.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\ChainSurrogateref\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ChainSurrogateref\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\ChainSurrogateref\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Help\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainSurrogateref\hyperBrowser.exe

Filesize
2.5MB

MD5
fb9e236436cde0a5a4eed038eaddcba0

SHA1
b952200d5fc543b905081e871d0f17cd86fe614f

SHA256
cbc2a097f5d12d79a5b79af092afba8eee19305a82e3663bcdf7a312bf3b6d49

SHA512
22c83c980a1df703d66f10ea11caaf187c9081c5b85039e4206f4a34418bc030af3baee128873e7bb6f45bd59132cc6191fd9fba3c8818d94c81105ec11a130c

Download Submit
C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe

Filesize
211B

MD5
4410becb8d48b0f40a82e8d65460e611

SHA1
23971351f410149ee5f076de87985cd6b4ab49dc

SHA256
ce4270f5351b45f9a102cb09b20dec64956cb4ab81a36fb6efa0689ab8755ce5

SHA512
539bfef68779f8c70a82346bb2410fe335a79cecba2c17f4d4f8d83e74ed85a6cd1d36ad4a55945b7283e73de65cec7aa45280c9f19e49a4d0f316857d42a3ed

Download Submit
C:\ChainSurrogateref\xpD7eJ.bat

Filesize
162B

MD5
eaa1aa25e323d5ea76d80a5ddbfeca3c

SHA1
a9ce156083afb97e63800dda5ee1e99d845b3a18

SHA256
7bd09663e812891268d97ecf21ea8d6669252fdcb2d3e24c9834252cadc21263

SHA512
f8d204db10ac0b32ebcd9266c4022d342fd2a7a520428eb585dbda826d79ed8744ed6dfd196821bb8bca6a786eabf77af2acbf0080db488e54b07abe1cf78aa7

Download Submit
memory/944-57-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/944-56-0x00000000010A0000-0x0000000001332000-memory.dmp

Filesize
2.6MB

Download
memory/2464-18-0x0000000000760000-0x00000000007B6000-memory.dmp

Filesize
344KB

Download
memory/2464-17-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/2464-16-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/2464-15-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2464-19-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/2464-20-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2464-21-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2464-22-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/2464-23-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2464-24-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download
memory/2464-25-0x0000000002260000-0x000000000226A000-memory.dmp

Filesize
40KB

Download
memory/2464-14-0x0000000000700000-0x000000000071C000-memory.dmp

Filesize
112KB

Download
memory/2464-13-0x0000000000010000-0x00000000002A2000-memory.dmp

Filesize
2.6MB

Download