dcrat | 3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

max time kernel
59s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/13.exe
Size

1.2MB
MD5

0e90a6b8ff015b32ace2b13a8bd1f785
SHA1

8bcebbd2697eda52ef176dea6aca4ee72a10d22d
SHA256

b3666fcaa0b2feeefd63d47d4afb9c9bc7ff67be6d255743574ec4ba5b854d44
SHA512

15162684052d2c57954728828113bdf7841b06d59397c0cc98f9770e69240ebe54f272b2a014b5b340a601d9283d275bd8fffb61a9d7f478ef8f25b23fc18474
SSDEEP

24576:U2G/nvxW3Ww0tGpv+kLhpXB40kpvvfIEN0WecEDP3CQHf:UbA30bFfIEiJbCQ/

Score

10^/10

dcrat credential_access discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat 52 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exe13.exeschtasks.exeschtasks.exeschtasks.exeportcomsaves.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5060	schtasks.exe
4964	schtasks.exe
3916	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe
3532	schtasks.exe
3044	schtasks.exe
4492	schtasks.exe
File created	C:\Windows\Tasks\886983d96e3d3e	portcomsaves.exe
File created	C:\Windows\it-IT\0a1fd5f707cd16	portcomsaves.exe
1840	schtasks.exe
3672	schtasks.exe
1972	schtasks.exe
2072	schtasks.exe
3612	schtasks.exe
3404	schtasks.exe
4856	schtasks.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\886983d96e3d3e	portcomsaves.exe
2644	schtasks.exe
2044	schtasks.exe
1428	schtasks.exe
1908	schtasks.exe
4680	schtasks.exe
4124	schtasks.exe
1800	schtasks.exe
3688	schtasks.exe
388	schtasks.exe
4184	schtasks.exe
2596	schtasks.exe
2084	schtasks.exe
1588	schtasks.exe
3912	schtasks.exe
3088	schtasks.exe
4120	schtasks.exe
3552	schtasks.exe
4772	schtasks.exe
1636	schtasks.exe
2292	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	portcomsaves.exe
704	schtasks.exe
4380	schtasks.exe
3468	schtasks.exe
4780	schtasks.exe
4108	schtasks.exe
4644	schtasks.exe
2328	schtasks.exe
716	schtasks.exe
4392	schtasks.exe
2884	schtasks.exe
File created	C:\Program Files\MSBuild\Microsoft\ee2ad38f3d4382	portcomsaves.exe
3132	schtasks.exe
3264	schtasks.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9	portcomsaves.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1032	schtasks.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\MscomponentWeb\portcomsaves.exe	dcrat
behavioral3/memory/3468-13-0x0000000000060000-0x0000000000144000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2028 powershell.exe
1700 powershell.exe
3496 powershell.exe
1096 powershell.exe
4092 powershell.exe
776 powershell.exe
Downloads MZ/PE file

pid	process
2028	powershell.exe
1700	powershell.exe
3496	powershell.exe
1096	powershell.exe
4092	powershell.exe
776	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13.exeWScript.exeportcomsaves.exeunsecapp.exeS6TKAMU5949A4J1.exeWScript.exeWebReviewWinSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	13.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	portcomsaves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	S6TKAMU5949A4J1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WebReviewWinSvc.exe

Executes dropped EXE 5 IoCs

Processes:

portcomsaves.exeunsecapp.exeS6TKAMU5949A4J1.exeWebReviewWinSvc.exedwm.exe

pid process

3468 portcomsaves.exe
2400 unsecapp.exe
4308 S6TKAMU5949A4J1.exe
3588 WebReviewWinSvc.exe
4084 dwm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 11 IoCs

Processes:

portcomsaves.exeWebReviewWinSvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	portcomsaves.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	portcomsaves.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\886983d96e3d3e	portcomsaves.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	WebReviewWinSvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Registry.exe	portcomsaves.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Registry.exe	portcomsaves.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9	portcomsaves.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\csrss.exe	portcomsaves.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	WebReviewWinSvc.exe
File created	C:\Program Files\MSBuild\Microsoft\ee2ad38f3d4382	portcomsaves.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	portcomsaves.exe

Drops file in Windows directory 4 IoCs

Processes:

portcomsaves.exe

description	ioc	process
File created	C:\Windows\it-IT\sppsvc.exe	portcomsaves.exe
File created	C:\Windows\it-IT\0a1fd5f707cd16	portcomsaves.exe
File created	C:\Windows\Tasks\csrss.exe	portcomsaves.exe
File created	C:\Windows\Tasks\886983d96e3d3e	portcomsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe13.exeWScript.execmd.exeS6TKAMU5949A4J1.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S6TKAMU5949A4J1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

3520 PING.EXE

pid	process
3520	PING.EXE

Modifies registry class 4 IoCs

Processes:

WebReviewWinSvc.exe13.exeportcomsaves.exeS6TKAMU5949A4J1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	WebReviewWinSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	13.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	portcomsaves.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	S6TKAMU5949A4J1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3520 PING.EXE

pid	process
3520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
704	schtasks.exe
4780	schtasks.exe
3404	schtasks.exe
4856	schtasks.exe
2084	schtasks.exe
3688	schtasks.exe
2884	schtasks.exe
2644	schtasks.exe
1908	schtasks.exe
4124	schtasks.exe
2072	schtasks.exe
5060	schtasks.exe
3044	schtasks.exe
4108	schtasks.exe
1840	schtasks.exe
1588	schtasks.exe
388	schtasks.exe
2292	schtasks.exe
3132	schtasks.exe
1800	schtasks.exe
1972	schtasks.exe
3916	schtasks.exe
4380	schtasks.exe
3672	schtasks.exe
4772	schtasks.exe
3552	schtasks.exe
4644	schtasks.exe
1636	schtasks.exe
3088	schtasks.exe
2328	schtasks.exe
2596	schtasks.exe
3532	schtasks.exe
4184	schtasks.exe
4120	schtasks.exe
3264	schtasks.exe
3912	schtasks.exe
4492	schtasks.exe
4392	schtasks.exe
4964	schtasks.exe
1428	schtasks.exe
716	schtasks.exe
4680	schtasks.exe
3612	schtasks.exe
2044	schtasks.exe
3468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

portcomsaves.exeunsecapp.exeWebReviewWinSvc.exe

pid	process
3468	portcomsaves.exe
3468	portcomsaves.exe
3468	portcomsaves.exe
3468	portcomsaves.exe
3468	portcomsaves.exe
2400	unsecapp.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe
3588	WebReviewWinSvc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

portcomsaves.exeunsecapp.exeWebReviewWinSvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	3468	portcomsaves.exe
Token: SeDebugPrivilege	2400	unsecapp.exe
Token: SeDebugPrivilege	3588	WebReviewWinSvc.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	4084	dwm.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

13.exeWScript.execmd.exeportcomsaves.execmd.exeunsecapp.exeS6TKAMU5949A4J1.exeWScript.execmd.exeWebReviewWinSvc.execmd.exe

description	pid	process	target process
PID 3868 wrote to memory of 1744	3868	13.exe	WScript.exe
PID 3868 wrote to memory of 1744	3868	13.exe	WScript.exe
PID 3868 wrote to memory of 1744	3868	13.exe	WScript.exe
PID 1744 wrote to memory of 3320	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 3320	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 3320	1744	WScript.exe	cmd.exe
PID 3320 wrote to memory of 3468	3320	cmd.exe	portcomsaves.exe
PID 3320 wrote to memory of 3468	3320	cmd.exe	portcomsaves.exe
PID 3468 wrote to memory of 208	3468	portcomsaves.exe	cmd.exe
PID 3468 wrote to memory of 208	3468	portcomsaves.exe	cmd.exe
PID 208 wrote to memory of 4876	208	cmd.exe	w32tm.exe
PID 208 wrote to memory of 4876	208	cmd.exe	w32tm.exe
PID 208 wrote to memory of 2400	208	cmd.exe	unsecapp.exe
PID 208 wrote to memory of 2400	208	cmd.exe	unsecapp.exe
PID 2400 wrote to memory of 4308	2400	unsecapp.exe	S6TKAMU5949A4J1.exe
PID 2400 wrote to memory of 4308	2400	unsecapp.exe	S6TKAMU5949A4J1.exe
PID 2400 wrote to memory of 4308	2400	unsecapp.exe	S6TKAMU5949A4J1.exe
PID 4308 wrote to memory of 4684	4308	S6TKAMU5949A4J1.exe	WScript.exe
PID 4308 wrote to memory of 4684	4308	S6TKAMU5949A4J1.exe	WScript.exe
PID 4308 wrote to memory of 4684	4308	S6TKAMU5949A4J1.exe	WScript.exe
PID 4684 wrote to memory of 1120	4684	WScript.exe	cmd.exe
PID 4684 wrote to memory of 1120	4684	WScript.exe	cmd.exe
PID 4684 wrote to memory of 1120	4684	WScript.exe	cmd.exe
PID 1120 wrote to memory of 3588	1120	cmd.exe	WebReviewWinSvc.exe
PID 1120 wrote to memory of 3588	1120	cmd.exe	WebReviewWinSvc.exe
PID 3588 wrote to memory of 776	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 776	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 4092	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 4092	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 2028	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 2028	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 1096	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 1096	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 3496	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 3496	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 1700	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 1700	3588	WebReviewWinSvc.exe	powershell.exe
PID 3588 wrote to memory of 5012	3588	WebReviewWinSvc.exe	cmd.exe
PID 3588 wrote to memory of 5012	3588	WebReviewWinSvc.exe	cmd.exe
PID 5012 wrote to memory of 3544	5012	cmd.exe	chcp.com
PID 5012 wrote to memory of 3544	5012	cmd.exe	chcp.com
PID 5012 wrote to memory of 3520	5012	cmd.exe	PING.EXE
PID 5012 wrote to memory of 3520	5012	cmd.exe	PING.EXE
PID 5012 wrote to memory of 4084	5012	cmd.exe	dwm.exe
PID 5012 wrote to memory of 4084	5012	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc\13.exe
"C:\Users\Admin\AppData\Local\Temp\dc\13.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\MscomponentWeb\Ajq0LiyGA4dp4B6y7RCardhOvOc96.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\MscomponentWeb\bav1c.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\MscomponentWeb\portcomsaves.exe
      "C:\MscomponentWeb\portcomsaves.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3t4vUbSxnE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4876
      - C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\S6TKAMU5949A4J1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S6TKAMU5949A4J1.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe
        
        "C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MscomponentWeb\RuntimeBroker.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\SppExtComObj.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\smss.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\dwm.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BACj9zy1qr.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
        
        C:\Users\Public\Downloads\dwm.exe
        
        "C:\Users\Public\Downloads\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MscomponentWeb\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MscomponentWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MscomponentWeb\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\MscomponentWeb\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MscomponentWeb\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\MscomponentWeb\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 10 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvc" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 12 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MscomponentWeb\Ajq0LiyGA4dp4B6y7RCardhOvOc96.vbe

Filesize
196B

MD5
13579f2c66aff36b0951cc96a81faea9

SHA1
b87899593eb3ea79e549001abb583b538427c89c

SHA256
7738df5036cf82a1a9f7c30d62f93d754b7862a8b9d5196b9c14530445de6bba

SHA512
73a9e7a2d83fec3d88ec49fdaa9736c7888b92a950abf99f9aeba5644add9026278f27d831a6a0bf6f06bd161a706ef511d3ea841840137a77fa0852db08eb3f

Download Submit
C:\MscomponentWeb\bav1c.bat

Filesize
36B

MD5
1bee830476b6ccaed1e83b4c7b59ea10

SHA1
570969283b16a760a1680430a8b9a807b1ce6fe0

SHA256
9ac5e3e2e9cc9e0b3083396784fac9d63405a68e23acdd5dc2bc1d127c410737

SHA512
01578443157479c2dc06f174642f7caafa4efdea38ea167558c496a67b1e07b5f5abef1f8c5342adbd6346f341506ef97e4307adb6baa7a0c9d51518448bc6d5

Download Submit
C:\MscomponentWeb\portcomsaves.exe

Filesize
881KB

MD5
8609eb4e5eb8288c61a072ae220f0b3c

SHA1
71351f226293b3544e53050c072141d93588cee9

SHA256
21f749db25fbc599593ff2ed109eb4854e5f1b5f9187341a51774d9bd9af1084

SHA512
d17d24eb0da9f3690eceb1b794e05d9170e00c8acc5a31c66a09615c0c2003e02aaf69c5e1a79ec8a916d9d77dcc0933ee7bd92548066cf2c86f8e63ba3e5961

Download Submit
C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat

Filesize
92B

MD5
7a0242e21fbe67928f8bb2a34df50776

SHA1
79e56085bc21f93a0f6a6f9141e65e56f15250ac

SHA256
bf8d81fbca5474b93fdadc88c08d3c97c8458a4985339b575cfea79cd1808beb

SHA512
3a14220e9881aff2a2ee1fb8427e9e546ee08cbea80a753217e0424ecd284cc5284323caadd4592d01e493c74609c77f49249c7305185832de993a6ddd384896

Download Submit
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe

Filesize
1.9MB

MD5
b9ae6cecac930e2d1ab60253e735a423

SHA1
bb4da2c1ca3802ecb9743871daed567fdfec55ed

SHA256
1e1a1ba9b92b5c91284b94606192c66fafe90db8c08c1aa748bf990e488f0a57

SHA512
04d621a1dcd636c6fd796862f6c982c5715516837d55ef32ecec441a36d0e6d132777c1bad9bffa1b5e264316e4d7969fa7e9d43eb6b68fb5c49034cf67ba93b

Download Submit
C:\PortsurrogateWinhostdhcp\ya0aIw.vbe

Filesize
219B

MD5
ad58de97ade18e52cfb2e41c4e5e44dd

SHA1
fe841efc401030312934c1f99d4d791fc436ee2a

SHA256
949429a184c0e107f49eafe6e4997d358d53864911a2f0837f4bf2ef443dac53

SHA512
f2bbe1a7018eff02062734f504193f148f7e8382e1dd722d013fd3bc94f6d823bfc3acfc267a92bcf894231717a8f5daa7da4403cc0c8d58bc9c2abc5bee7792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3t4vUbSxnE.bat

Filesize
199B

MD5
b4351e86a2362fd912247c968117eff0

SHA1
9e053ebe3682d0cfc2adfa56f0dd48db65e7120c

SHA256
8e760f0cb4eb9cd5fc9097cdfaf39a205bc06e7474d3eae97c448cacb5113b08

SHA512
631a7287f3b2b701f279e7b639973126f97413872508447e9721d3370dafc03d01ecc44ff12ca6f27e20ccc1aa5822a7888bd9bc551fde18ca05b606d7fa1ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BACj9zy1qr.bat

Filesize
161B

MD5
4e15cc78a1b710f0012187063a5a5c3c

SHA1
7bade81886de0af7244277ce33081c9f9c77fa80

SHA256
93d595dd2a733dd26754eda5e1d527bb5b7fb10c556c25464329890fd6a9dbd0

SHA512
1642ac27843e9a55ef4d9ccd148b76dda87ac8bba33fd1710763780065f6ea522a97c7787a3ea8f59ddc288211d68907c1020fb29002e58fdee6d9222bb9251c

Download Submit
C:\Users\Admin\AppData\Local\Temp\S6TKAMU5949A4J1.exe

Filesize
2.2MB

MD5
51e9fd97423e9b74aea906f0ce0dcd71

SHA1
4dcce453a3f6a6624827b2075afff043e3921491

SHA256
059b3f10324e5234e9d76365d78dad2e6f9d807c75100f103c5cdc6eefbaf464

SHA512
8ff65be5a76f342255e93fc89a304e91f9d6d8af9de679d77977186224313db381f1e778a4c2302978ac51df69f6e9e0d19f135717b55690dd9bb93451af5aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54vckkmb.q0i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3468-14-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/3468-13-0x0000000000060000-0x0000000000144000-memory.dmp

Filesize
912KB

Download
memory/3468-12-0x00007FF8043A3000-0x00007FF8043A5000-memory.dmp

Filesize
8KB

Download
memory/3496-95-0x000001EDA6120000-0x000001EDA6142000-memory.dmp

Filesize
136KB

Download
memory/3588-73-0x0000000003240000-0x000000000324C000-memory.dmp

Filesize
48KB

Download
memory/3588-71-0x0000000003220000-0x000000000322E000-memory.dmp

Filesize
56KB

Download
memory/3588-69-0x000000001BCF0000-0x000000001BD08000-memory.dmp

Filesize
96KB

Download
memory/3588-100-0x000000001CA60000-0x000000001CB09000-memory.dmp

Filesize
676KB

Download
memory/3588-67-0x000000001BD40000-0x000000001BD90000-memory.dmp

Filesize
320KB

Download
memory/3588-66-0x000000001BCD0000-0x000000001BCEC000-memory.dmp

Filesize
112KB

Download
memory/3588-64-0x0000000003210000-0x000000000321E000-memory.dmp

Filesize
56KB

Download
memory/3588-62-0x0000000000E90000-0x0000000001076000-memory.dmp

Filesize
1.9MB

Download
memory/4084-168-0x000000001C200000-0x000000001C2A9000-memory.dmp

Filesize
676KB

Download