dcrat | 3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

max time kernel
34s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/5.exe
Size

1.5MB
MD5

bd14830a138c0095dca4aa1f0286ab64
SHA1

d2496162caf083f7da2798a87c2b31dee785407b
SHA256

6bbe69a4d43bcdbe194fd79cbc4e02eeac6f23c6eac0b88b7ba4425be891104f
SHA512

0f256578c87b3f6a35d3c7355dc3b60528cc624d091918ca65c73ee71ed8b06ecfcf19789e9ae067338be379b3af3bd41424deb36753e2432622d8b4d4ad3f9c
SSDEEP

24576:U2G/nvxW3Ww0tSQPN1+7zNSQ6lXSvfyV5rUFuS59v2xNXx9qYdzUek:UbA30SQPyGb5rUcU9vOAOUN

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe5.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exesurrogatecontainerSession.exe

pid	process
4796	schtasks.exe
3352	schtasks.exe
4120	schtasks.exe
3452	schtasks.exe
1472	schtasks.exe
3200	schtasks.exe
8	schtasks.exe
2832	schtasks.exe
4796	schtasks.exe
4132	schtasks.exe
1400	schtasks.exe
4468	schtasks.exe
3576	schtasks.exe
692	schtasks.exe
3452	schtasks.exe
3792	schtasks.exe
2996	schtasks.exe
4660	schtasks.exe
3448	schtasks.exe
5052	schtasks.exe
2320	schtasks.exe
2808	schtasks.exe
3608	schtasks.exe
1336	schtasks.exe
64	schtasks.exe
1776	schtasks.exe
3828	schtasks.exe
2024	schtasks.exe
2424	schtasks.exe
4456	schtasks.exe
2568	schtasks.exe
4856	schtasks.exe
3460	schtasks.exe
2068	schtasks.exe
3896	schtasks.exe
4676	schtasks.exe
2880	schtasks.exe
4156	schtasks.exe
4436	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
3364	schtasks.exe
4800	schtasks.exe
408	schtasks.exe
4320	schtasks.exe
2260	schtasks.exe
4160	schtasks.exe
2564	schtasks.exe
1656	schtasks.exe
3400	schtasks.exe
2128	schtasks.exe
3652	schtasks.exe
3868	schtasks.exe
2740	schtasks.exe
2628	schtasks.exe
692	schtasks.exe
4408	schtasks.exe
1780	schtasks.exe
5008	schtasks.exe
4332	schtasks.exe
3504	schtasks.exe
4780	schtasks.exe
3364	schtasks.exe
3432	schtasks.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9	surrogatecontainerSession.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	4772	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\comintomonitor\surrogatecontainerSession.exe	dcrat
behavioral12/memory/4172-13-0x0000000000DA0000-0x0000000000EE2000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

surrogatecontainerSession.exe5.exeWScript.exesurrogatecontainerSession.exesurrogatecontainerSession.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	surrogatecontainerSession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	surrogatecontainerSession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	surrogatecontainerSession.exe

Executes dropped EXE 4 IoCs

Processes:

surrogatecontainerSession.exesurrogatecontainerSession.exesurrogatecontainerSession.exeSppExtComObj.exe

pid process

4172 surrogatecontainerSession.exe
4924 surrogatecontainerSession.exe
2872 surrogatecontainerSession.exe
4736 SppExtComObj.exe

Drops file in Program Files directory 19 IoCs

Processes:

surrogatecontainerSession.exesurrogatecontainerSession.exesurrogatecontainerSession.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\OfficeClickToRun.exe	surrogatecontainerSession.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe	surrogatecontainerSession.exe
File created	C:\Program Files\Common Files\DESIGNER\surrogatecontainerSession.exe	surrogatecontainerSession.exe
File created	C:\Program Files\Google\Chrome\1a3459b80c2061	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd	surrogatecontainerSession.exe
File created	C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\5940a34987c991	surrogatecontainerSession.exe
File created	C:\Program Files\Windows Media Player\fr-FR\9e8d7a4ca61bd9	surrogatecontainerSession.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	surrogatecontainerSession.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9	surrogatecontainerSession.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\29c1c3cc0f7685	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe	surrogatecontainerSession.exe
File created	C:\Program Files\Common Files\DESIGNER\1a3459b80c2061	surrogatecontainerSession.exe
File created	C:\Program Files\Google\Chrome\surrogatecontainerSession.exe	surrogatecontainerSession.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe	surrogatecontainerSession.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\121e5b5079f7c0	surrogatecontainerSession.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792	surrogatecontainerSession.exe

Drops file in Windows directory 6 IoCs

Processes:

surrogatecontainerSession.exe

description	ioc	process
File created	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe	surrogatecontainerSession.exe
File created	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\9e8d7a4ca61bd9	surrogatecontainerSession.exe
File created	C:\Windows\DigitalLocker\conhost.exe	surrogatecontainerSession.exe
File opened for modification	C:\Windows\DigitalLocker\conhost.exe	surrogatecontainerSession.exe
File created	C:\Windows\DigitalLocker\088424020bedd6	surrogatecontainerSession.exe
File created	C:\Windows\ImmersiveControlPanel\en-US\SppExtComObj.exe	surrogatecontainerSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

Processes:

5.exesurrogatecontainerSession.exesurrogatecontainerSession.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	5.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	surrogatecontainerSession.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	surrogatecontainerSession.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4408	schtasks.exe
4856	schtasks.exe
2628	schtasks.exe
3464	schtasks.exe
2320	schtasks.exe
3364	schtasks.exe
3792	schtasks.exe
2996	schtasks.exe
2564	schtasks.exe
2128	schtasks.exe
5052	schtasks.exe
1776	schtasks.exe
3828	schtasks.exe
2880	schtasks.exe
2024	schtasks.exe
3576	schtasks.exe
512	schtasks.exe
3708	schtasks.exe
1656	schtasks.exe
1568	schtasks.exe
4456	schtasks.exe
1768	schtasks.exe
4160	schtasks.exe
4060	schtasks.exe
5008	schtasks.exe
4660	schtasks.exe
3432	schtasks.exe
4332	schtasks.exe
3364	schtasks.exe
4436	schtasks.exe
4156	schtasks.exe
4800	schtasks.exe
1780	schtasks.exe
3652	schtasks.exe
3496	schtasks.exe
2740	schtasks.exe
4812	schtasks.exe
2424	schtasks.exe
2808	schtasks.exe
64	schtasks.exe
3640	schtasks.exe
2832	schtasks.exe
4468	schtasks.exe
3352	schtasks.exe
1336	schtasks.exe
4132	schtasks.exe
3896	schtasks.exe
3008	schtasks.exe
692	schtasks.exe
4736	schtasks.exe
3564	schtasks.exe
4852	schtasks.exe
1400	schtasks.exe
2260	schtasks.exe
3200	schtasks.exe
3868	schtasks.exe
4796	schtasks.exe
4780	schtasks.exe
3140	schtasks.exe
3608	schtasks.exe
8	schtasks.exe
3504	schtasks.exe
408	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

surrogatecontainerSession.exesurrogatecontainerSession.exesurrogatecontainerSession.exeSppExtComObj.exe

pid	process
4172	surrogatecontainerSession.exe
4924	surrogatecontainerSession.exe
4924	surrogatecontainerSession.exe
4924	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
2872	surrogatecontainerSession.exe
4736	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

surrogatecontainerSession.exesurrogatecontainerSession.exesurrogatecontainerSession.exeSppExtComObj.exe

description	pid	process
Token: SeDebugPrivilege	4172	surrogatecontainerSession.exe
Token: SeDebugPrivilege	4924	surrogatecontainerSession.exe
Token: SeDebugPrivilege	2872	surrogatecontainerSession.exe
Token: SeDebugPrivilege	4736	SppExtComObj.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5.exeWScript.execmd.exesurrogatecontainerSession.exesurrogatecontainerSession.execmd.exesurrogatecontainerSession.execmd.exe

description	pid	process	target process
PID 3608 wrote to memory of 2156	3608	5.exe	WScript.exe
PID 3608 wrote to memory of 2156	3608	5.exe	WScript.exe
PID 3608 wrote to memory of 2156	3608	5.exe	WScript.exe
PID 2156 wrote to memory of 4380	2156	WScript.exe	cmd.exe
PID 2156 wrote to memory of 4380	2156	WScript.exe	cmd.exe
PID 2156 wrote to memory of 4380	2156	WScript.exe	cmd.exe
PID 4380 wrote to memory of 4172	4380	cmd.exe	surrogatecontainerSession.exe
PID 4380 wrote to memory of 4172	4380	cmd.exe	surrogatecontainerSession.exe
PID 4172 wrote to memory of 4924	4172	surrogatecontainerSession.exe	surrogatecontainerSession.exe
PID 4172 wrote to memory of 4924	4172	surrogatecontainerSession.exe	surrogatecontainerSession.exe
PID 4924 wrote to memory of 4176	4924	surrogatecontainerSession.exe	cmd.exe
PID 4924 wrote to memory of 4176	4924	surrogatecontainerSession.exe	cmd.exe
PID 4176 wrote to memory of 1336	4176	cmd.exe	w32tm.exe
PID 4176 wrote to memory of 1336	4176	cmd.exe	w32tm.exe
PID 4176 wrote to memory of 2872	4176	cmd.exe	surrogatecontainerSession.exe
PID 4176 wrote to memory of 2872	4176	cmd.exe	surrogatecontainerSession.exe
PID 2872 wrote to memory of 2968	2872	surrogatecontainerSession.exe	cmd.exe
PID 2872 wrote to memory of 2968	2872	surrogatecontainerSession.exe	cmd.exe
PID 2968 wrote to memory of 1976	2968	cmd.exe	w32tm.exe
PID 2968 wrote to memory of 1976	2968	cmd.exe	w32tm.exe
PID 2968 wrote to memory of 4736	2968	cmd.exe	SppExtComObj.exe
PID 2968 wrote to memory of 4736	2968	cmd.exe	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc\5.exe
"C:\Users\Admin\AppData\Local\Temp\dc\5.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comintomonitor\hYqofXS.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comintomonitor\24FWoNBdD5S8yo.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\comintomonitor\surrogatecontainerSession.exe
      "C:\comintomonitor\surrogatecontainerSession.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\comintomonitor\surrogatecontainerSession.exe
        
        "C:\comintomonitor\surrogatecontainerSession.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\25bXKWFRli.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1336
        
        C:\comintomonitor\surrogatecontainerSession.exe
        
        "C:\comintomonitor\surrogatecontainerSession.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W4TeTCPl25.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1976
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSessions" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\surrogatecontainerSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSession" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\surrogatecontainerSession.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSessions" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\surrogatecontainerSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSessions" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\surrogatecontainerSession.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSession" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\surrogatecontainerSession.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogatecontainerSessions" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\surrogatecontainerSession.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\comintomonitor\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comintomonitor\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\comintomonitor\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comintomonitor\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comintomonitor\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\comintomonitor\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\comintomonitor\System.exe'" /f
1⤵
- DcRat
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\comintomonitor\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\comintomonitor\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\886983d96e3d3e

Filesize
59B

MD5
dc10b1d6843808d925832371a00ef02c

SHA1
e41cbbd464ae5dbd7c039d521e737bb086cdcf5d

SHA256
4a5e88b11b1b920ba8e8e5b8d1d02d95bbab2559e6d53a639b521413591b8f5a

SHA512
f7746a2b36c37b5f9049ad96cd10ac0d49d175203c8ea628ece80bd33c3ca44205b7397b04796dffb42bec02701f78a4290efae375605c8dd0a29baa1b2655f0

Download Submit
C:\Recovery\WindowsRE\e1ef82546f0b02

Filesize
524B

MD5
63ab3a0c62f9f94b87c4050847dce5d2

SHA1
10ddc4476df0ea596acbcc0c1f1080723566d4ca

SHA256
0f78f40f9440e77664da9b07b187935d5682afb5840d9f2320017500d85c517a

SHA512
9148e152d63af96c6f6c0b3a3390ffc329e8407bd360af9ceaa08d53aa4d213bf259377c12ee642072f9574210e571f8557cee1eba099c49ded9cbdb6e98b63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\surrogatecontainerSession.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\25bXKWFRli.bat

Filesize
212B

MD5
48af1cff452dfac2aee481de14093dec

SHA1
f20e781d8f6ec3d6e05d3c5f513ec51050afe04a

SHA256
7b55b63ba34a58176ba290e9bc44765887ab72477d2ad13ac14c2eda962ac33b

SHA512
3379cb941e799c93e3665b350090ba91d6308af9226ac2bb56547bc89a892129004bd776cfe15d5fcf13dc94df39f3bd727356c5bff76210b63bde0677a43ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4TeTCPl25.bat

Filesize
203B

MD5
2df6c141c1edf60a349fc7d9b7566222

SHA1
0a0e84eabd2847c71d52a169e768877c38a9f27e

SHA256
c5d1f76344fc2ac37c5d20fa81f74a6c9b2e630dcf4df28181504bc57f6d0c41

SHA512
b4347df4ef8d6be8ce7ce0459a72bdbfa05d0efccf362d149444598b60fb05d1af8e62f28df80feeadd9f0e1216db0fc0b4b3f9a5e1a44bfeb16eb20cddd32db

Download Submit
C:\comintomonitor\24FWoNBdD5S8yo.bat

Filesize
49B

MD5
e4ed0ca1c0f6f8f246dfd45c42256436

SHA1
9e498435f66bac32394e53072c9a7df51230337a

SHA256
2d93a35b9f7489c63892b6db64a13d7db9d849e28f0461e33c69b576ea889ff1

SHA512
072e682366368bb99139943df5f26810288af6e846bb0a7878f3a1bc75b8c2b05b87b9ff3f029a24d11875af8d85bc6c92fdaebff88d8767619d68caa435e67c

Download Submit
C:\comintomonitor\hYqofXS.vbe

Filesize
205B

MD5
a0036facf019acdbb4768c7303f99e50

SHA1
70a457d1b2acf49d415ff16b02df38957d10f33d

SHA256
f71e41857c0ccd8eec062e9702466e9a439c8742ef5a1b94bf00c55ceddb38b8

SHA512
1ff3b20a133ec60d9cfe65836101756469d1df0021e47dd512b66a921291456ef6d92dbedb752b69720c5ed0e8ff63ffb489fa24df1637b195a8ff2f72ee6887

Download Submit
C:\comintomonitor\surrogatecontainerSession.exe

Filesize
1.2MB

MD5
a6d61a6dfab83acb54f297fb9c53feb8

SHA1
0b836c25ed921dd3042f623dfeea9b9bb227dfd7

SHA256
9e0f7fcce9a2affe76db9655affa922d274fca21d8c2f28776517759aceb8170

SHA512
f5393d1ce9c4c798dee28338c0046c698086d024f8eb9384e775f6481da1976b41777dd9fc871c1954607fdc4cf9a66e7c77006766b8032ce68eb0a8eac7c1d6

Download Submit
memory/4172-15-0x000000001BA70000-0x000000001BAC0000-memory.dmp

Filesize
320KB

Download
memory/4172-18-0x00000000015E0000-0x00000000015EC000-memory.dmp

Filesize
48KB

Download
memory/4172-17-0x00000000015A0000-0x00000000015AE000-memory.dmp

Filesize
56KB

Download
memory/4172-16-0x000000001BA20000-0x000000001BA36000-memory.dmp

Filesize
88KB

Download
memory/4172-14-0x00000000015C0000-0x00000000015DC000-memory.dmp

Filesize
112KB

Download
memory/4172-13-0x0000000000DA0000-0x0000000000EE2000-memory.dmp

Filesize
1.3MB

Download
memory/4172-12-0x00007FFAA5D23000-0x00007FFAA5D25000-memory.dmp

Filesize
8KB

Download