dcrat | 557c665f347b5b329b2143090a260da91341dd87bbd989b33e79bd7d7367b331

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
Size

2.9MB
MD5

785607a320f7338a45583ba5a4351cfc
SHA1

89ef702587884d38b07ebe0f7353e708d9569a62
SHA256

1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd
SHA512

045dd570ee1276be438381228e3aa69a14b8c91fdf9a0a20faf12c6ebb448aae18fac897b796075c09acb2af09190eadccbf6fa3a73bb94ad8675c2e3729a3e6
SSDEEP

49152:UbA30ZgGhRYDGAYWw3l1J6ubWTUxs0UNOQ/rPRDQNtSLOGRw+zNlrN:UbyvDMWUHJ6uoU+EQ/rS+OG+0N

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2652	schtasks.exe	34

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d8b-9.dat	dcrat
behavioral1/memory/2784-13-0x0000000000F10000-0x00000000011B6000-memory.dmp	dcrat
behavioral1/memory/2104-68-0x0000000000C00000-0x0000000000EA6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2784	BlockDriverSession.exe
2104	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\bg-BG\WmiPrvSE.exe	BlockDriverSession.exe
File created	C:\Windows\System32\bg-BG\24dbde2999530e	BlockDriverSession.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\BlockDriverSession.exe	BlockDriverSession.exe
File created	C:\Program Files\Internet Explorer\es-ES\cmd.exe	BlockDriverSession.exe
File created	C:\Program Files (x86)\MSBuild\dllhost.exe	BlockDriverSession.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\winlogon.exe	BlockDriverSession.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\cc11b995f2a76d	BlockDriverSession.exe
File created	C:\Program Files\Internet Explorer\es-ES\ebf1f9fa8afd6d	BlockDriverSession.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe	BlockDriverSession.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	BlockDriverSession.exe
File created	C:\Program Files (x86)\Google\Temp\OSPPSVC.exe	BlockDriverSession.exe
File created	C:\Program Files (x86)\Google\Temp\1610b97d3ab4a7	BlockDriverSession.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\46569ad908b6c7	BlockDriverSession.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	BlockDriverSession.exe
File created	C:\Program Files (x86)\MSBuild\5940a34987c991	BlockDriverSession.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\cc11b995f2a76d	BlockDriverSession.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\servicing\de-DE\csrss.exe	BlockDriverSession.exe
File created	C:\Windows\winsxs\services.exe	BlockDriverSession.exe
File created	C:\Windows\IME\IMETC10\HELP\conhost.exe	BlockDriverSession.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\conhost.exe	BlockDriverSession.exe
File created	C:\Windows\IME\IMETC10\HELP\088424020bedd6	BlockDriverSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
596	schtasks.exe
2292	schtasks.exe
1164	schtasks.exe
2900	schtasks.exe
3012	schtasks.exe
2916	schtasks.exe
1704	schtasks.exe
1588	schtasks.exe
340	schtasks.exe
1444	schtasks.exe
2584	schtasks.exe
688	schtasks.exe
1688	schtasks.exe
332	schtasks.exe
1524	schtasks.exe
1396	schtasks.exe
2540	schtasks.exe
992	schtasks.exe
2432	schtasks.exe
2456	schtasks.exe
2640	schtasks.exe
1472	schtasks.exe
784	schtasks.exe
1584	schtasks.exe
2264	schtasks.exe
2232	schtasks.exe
2612	schtasks.exe
2076	schtasks.exe
796	schtasks.exe
956	schtasks.exe
2884	schtasks.exe
1580	schtasks.exe
2560	schtasks.exe
1912	schtasks.exe
1868	schtasks.exe
2740	schtasks.exe
3032	schtasks.exe
3016	schtasks.exe
2372	schtasks.exe
1100	schtasks.exe
968	schtasks.exe
3068	schtasks.exe
1700	schtasks.exe
2672	schtasks.exe
3040	schtasks.exe
2724	schtasks.exe
1788	schtasks.exe
3048	schtasks.exe
2392	schtasks.exe
2332	schtasks.exe
1344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2784	BlockDriverSession.exe
2784	BlockDriverSession.exe
2784	BlockDriverSession.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe
2104	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	BlockDriverSession.exe
Token: SeDebugPrivilege	2104	taskhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 484	1992	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	30
PID 1992 wrote to memory of 484	1992	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	30
PID 1992 wrote to memory of 484	1992	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	30
PID 1992 wrote to memory of 484	1992	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	30
PID 484 wrote to memory of 2496	484	WScript.exe	31
PID 484 wrote to memory of 2496	484	WScript.exe	31
PID 484 wrote to memory of 2496	484	WScript.exe	31
PID 484 wrote to memory of 2496	484	WScript.exe	31
PID 2496 wrote to memory of 2784	2496	cmd.exe	33
PID 2496 wrote to memory of 2784	2496	cmd.exe	33
PID 2496 wrote to memory of 2784	2496	cmd.exe	33
PID 2496 wrote to memory of 2784	2496	cmd.exe	33
PID 2784 wrote to memory of 2104	2784	BlockDriverSession.exe	86
PID 2784 wrote to memory of 2104	2784	BlockDriverSession.exe	86
PID 2784 wrote to memory of 2104	2784	BlockDriverSession.exe	86
PID 2104 wrote to memory of 2364	2104	taskhost.exe	87
PID 2104 wrote to memory of 2364	2104	taskhost.exe	87
PID 2104 wrote to memory of 2364	2104	taskhost.exe	87
PID 2104 wrote to memory of 2992	2104	taskhost.exe	88
PID 2104 wrote to memory of 2992	2104	taskhost.exe	88
PID 2104 wrote to memory of 2992	2104	taskhost.exe	88

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
"C:\Users\Admin\AppData\Local\Temp\1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcontainerNet\689nLuB8bn2MfB1X.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\PortcontainerNet\v4I4j8Sm1bgPdz1zcUPKHogshbK59.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\PortcontainerNet\BlockDriverSession.exe
      "C:\PortcontainerNet\BlockDriverSession.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2784
    - - C:\PortcontainerNet\taskhost.exe
        
        "C:\PortcontainerNet\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2104
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f092d19c-19ae-48fd-a0e8-90452f575e9e.vbs"
        6⤵
        
        PID:2364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12cdb309-d809-4f14-977d-2fcd7b6847f1.vbs"
        6⤵
        
        PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMETC10\HELP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\HELP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC10\HELP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\PortcontainerNet\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortcontainerNet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\PortcontainerNet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\bg-BG\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\bg-BG\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDriverSessionB" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\BlockDriverSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDriverSession" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\BlockDriverSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockDriverSessionB" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\BlockDriverSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\PortcontainerNet\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PortcontainerNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\PortcontainerNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\es-ES\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\PortcontainerNet\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\PortcontainerNet\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\PortcontainerNet\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\PortcontainerNet\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\PortcontainerNet\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\PortcontainerNet\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\My Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcontainerNet\689nLuB8bn2MfB1X.vbe

Filesize
222B

MD5
693d9c6861d414fe294aa5afe5ebafa5

SHA1
802c8230361a8559175dab6b0b7b0c3fbd91217b

SHA256
613897ff2e14835d03002a2abd9905741bba0076c1c23a4da21816973022caed

SHA512
4fc89eb7843c22bebe23a62790636dc372221c7ea8b809fe96ba2b4793404e09842900331744cfef452c150e898400d4ec913c56237784ab2c06db879e79eede

Download Submit
C:\PortcontainerNet\v4I4j8Sm1bgPdz1zcUPKHogshbK59.bat

Filesize
44B

MD5
d13a29bc38e9f486343083d8a6c168ce

SHA1
ad80f0d918fa7016ba370b54385c7ee9a3325563

SHA256
165c940029b467b8807d91b6cd04c7104e628c240b093addb32c46ce0528ad65

SHA512
c597c3c4156d636ff0b2685b06c6ba826707ea79f3fa5dbedca60633d2e67cf74bbabd79b4fded590fd3a574d87c6425d746aa681a4b74a25f6801493430ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\12cdb309-d809-4f14-977d-2fcd7b6847f1.vbs

Filesize
484B

MD5
0adb1366598d98ab9078193fae06535e

SHA1
477d1f7bb83947655ec86f7414904cd69ccf66a6

SHA256
2b90efcf20dadb627d1083f73195a6345baf8787a33d0ecb23c254640f052a4c

SHA512
0a2c2da2f97215f072380111e1e704f12cd34ea006b0ad45d848b308e4de798d583ec4e110c341c997efd7e5196b7a14fb0e796496b78306360cafc4351fe9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f092d19c-19ae-48fd-a0e8-90452f575e9e.vbs

Filesize
708B

MD5
a86b10ce8a84334dbbe8b2dc5cff0514

SHA1
d80b36a87b1062f4d13b8cc47c544b36d20353b2

SHA256
c2c9a1cdd84dfc87f6601ef695507e7b51a3c8e9a4478fb8c8acf7925d8229ec

SHA512
ff6e9fe40f4bb01457863e70d8f892068fe986f3a23aab19f373b3f37eee3401d825c7170e1542969a1640eaf788972a8dfc1600a256e1b25fafbd61345a0b9d

Download Submit
\PortcontainerNet\BlockDriverSession.exe

Filesize
2.6MB

MD5
b4bb6ddc5ea6bbc7acf0710e7b7e9ad1

SHA1
25deab2ab4314cae2ef04ad53af0537739ccdfbd

SHA256
4bda28228fbfd24639975586203401e0fbe6246d5cbcdd3607f18f1eae71c247

SHA512
a7ba1f53e1933b095fa40fefb20263198d4be93bc5157ddd649081b4fd19b003860df6785ae1783fca1f79610cc61341e0751abaa0c823bb9447ca04fb5139b3

Download Submit
memory/2104-68-0x0000000000C00000-0x0000000000EA6000-memory.dmp

Filesize
2.6MB

Download
memory/2784-20-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/2784-23-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2784-18-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/2784-19-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2784-16-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/2784-21-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download
memory/2784-22-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2784-17-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2784-24-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/2784-25-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/2784-26-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/2784-27-0x000000001AB40000-0x000000001AB4C000-memory.dmp

Filesize
48KB

Download
memory/2784-15-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2784-14-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/2784-13-0x0000000000F10000-0x00000000011B6000-memory.dmp

Filesize
2.6MB

Download