dcrat | 557c665f347b5b329b2143090a260da91341dd87bbd989b33e79bd7d7367b331

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
Size

2.9MB
MD5

785607a320f7338a45583ba5a4351cfc
SHA1

89ef702587884d38b07ebe0f7353e708d9569a62
SHA256

1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd
SHA512

045dd570ee1276be438381228e3aa69a14b8c91fdf9a0a20faf12c6ebb448aae18fac897b796075c09acb2af09190eadccbf6fa3a73bb94ad8675c2e3729a3e6
SSDEEP

49152:UbA30ZgGhRYDGAYWw3l1J6ubWTUxs0UNOQ/rPRDQNtSLOGRw+zNlrN:UbyvDMWUHJ6uoU+EQ/rS+OG+0N

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1536	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1536	schtasks.exe	95

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00070000000234e6-10.dat	dcrat
behavioral2/memory/1576-13-0x0000000000DB0000-0x0000000001056000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	BlockDriverSession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 2 IoCs

pid	Process
1576	BlockDriverSession.exe
624	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\taskhostw.exe	BlockDriverSession.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ea9f0e6c9e2dcd	BlockDriverSession.exe
File created	C:\Program Files\Crashpad\reports\c82b8037eab33d	BlockDriverSession.exe
File created	C:\Program Files\Windows Media Player\fr-FR\c5b4cb5e9653cc	BlockDriverSession.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991	BlockDriverSession.exe
File created	C:\Program Files\Common Files\38384e6a620884	BlockDriverSession.exe
File created	C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe	BlockDriverSession.exe
File created	C:\Program Files\Windows Media Player\fr-FR\services.exe	BlockDriverSession.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe	BlockDriverSession.exe
File created	C:\Program Files\Common Files\SearchApp.exe	BlockDriverSession.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\Registry.exe	BlockDriverSession.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\ee2ad38f3d4382	BlockDriverSession.exe
File created	C:\Windows\System\Speech\wininit.exe	BlockDriverSession.exe
File created	C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe	BlockDriverSession.exe
File created	C:\Windows\DigitalLocker\en-US\eddb19405b7ce1	BlockDriverSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3396	schtasks.exe
3576	schtasks.exe
3024	schtasks.exe
1456	schtasks.exe
2940	schtasks.exe
1712	schtasks.exe
5072	schtasks.exe
1068	schtasks.exe
3368	schtasks.exe
1992	schtasks.exe
4768	schtasks.exe
2080	schtasks.exe
3588	schtasks.exe
1720	schtasks.exe
4384	schtasks.exe
3336	schtasks.exe
2328	schtasks.exe
3536	schtasks.exe
2928	schtasks.exe
3708	schtasks.exe
1492	schtasks.exe
2688	schtasks.exe
4716	schtasks.exe
3556	schtasks.exe
4044	schtasks.exe
4340	schtasks.exe
752	schtasks.exe
2812	schtasks.exe
2508	schtasks.exe
3788	schtasks.exe
2888	schtasks.exe
1164	schtasks.exe
2884	schtasks.exe
2176	schtasks.exe
4320	schtasks.exe
4752	schtasks.exe
4168	schtasks.exe
4292	schtasks.exe
4880	schtasks.exe
628	schtasks.exe
5012	schtasks.exe
4452	schtasks.exe
5008	schtasks.exe
1168	schtasks.exe
964	schtasks.exe
3580	schtasks.exe
2196	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
1576	BlockDriverSession.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe
624	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	BlockDriverSession.exe
Token: SeDebugPrivilege	624	SearchApp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1592	532	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	87
PID 532 wrote to memory of 1592	532	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	87
PID 532 wrote to memory of 1592	532	1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe	87
PID 1592 wrote to memory of 4636	1592	WScript.exe	91
PID 1592 wrote to memory of 4636	1592	WScript.exe	91
PID 1592 wrote to memory of 4636	1592	WScript.exe	91
PID 4636 wrote to memory of 1576	4636	cmd.exe	93
PID 4636 wrote to memory of 1576	4636	cmd.exe	93
PID 1576 wrote to memory of 624	1576	BlockDriverSession.exe	144
PID 1576 wrote to memory of 624	1576	BlockDriverSession.exe	144
PID 624 wrote to memory of 3612	624	SearchApp.exe	145
PID 624 wrote to memory of 3612	624	SearchApp.exe	145
PID 624 wrote to memory of 1332	624	SearchApp.exe	146
PID 624 wrote to memory of 1332	624	SearchApp.exe	146

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BlockDriverSession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe
"C:\Users\Admin\AppData\Local\Temp\1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcontainerNet\689nLuB8bn2MfB1X.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortcontainerNet\v4I4j8Sm1bgPdz1zcUPKHogshbK59.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\PortcontainerNet\BlockDriverSession.exe
      "C:\PortcontainerNet\BlockDriverSession.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1576
    - - C:\Program Files\Common Files\SearchApp.exe
        
        "C:\Program Files\Common Files\SearchApp.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43c726c4-31c6-42e1-bc3c-16318eda0bc9.vbs"
        6⤵
        
        PID:3612
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d83547e-9060-43dc-b075-3750111d9ebc.vbs"
        6⤵
        
        PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\PortcontainerNet\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PortcontainerNet\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\PortcontainerNet\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\PortcontainerNet\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PortcontainerNet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\PortcontainerNet\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\PortcontainerNet\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\PortcontainerNet\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\PortcontainerNet\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\PortcontainerNet\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\PortcontainerNet\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\PortcontainerNet\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Common Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcontainerNet\689nLuB8bn2MfB1X.vbe

Filesize
222B

MD5
693d9c6861d414fe294aa5afe5ebafa5

SHA1
802c8230361a8559175dab6b0b7b0c3fbd91217b

SHA256
613897ff2e14835d03002a2abd9905741bba0076c1c23a4da21816973022caed

SHA512
4fc89eb7843c22bebe23a62790636dc372221c7ea8b809fe96ba2b4793404e09842900331744cfef452c150e898400d4ec913c56237784ab2c06db879e79eede

Download Submit
C:\PortcontainerNet\BlockDriverSession.exe

Filesize
2.6MB

MD5
b4bb6ddc5ea6bbc7acf0710e7b7e9ad1

SHA1
25deab2ab4314cae2ef04ad53af0537739ccdfbd

SHA256
4bda28228fbfd24639975586203401e0fbe6246d5cbcdd3607f18f1eae71c247

SHA512
a7ba1f53e1933b095fa40fefb20263198d4be93bc5157ddd649081b4fd19b003860df6785ae1783fca1f79610cc61341e0751abaa0c823bb9447ca04fb5139b3

Download Submit
C:\PortcontainerNet\v4I4j8Sm1bgPdz1zcUPKHogshbK59.bat

Filesize
44B

MD5
d13a29bc38e9f486343083d8a6c168ce

SHA1
ad80f0d918fa7016ba370b54385c7ee9a3325563

SHA256
165c940029b467b8807d91b6cd04c7104e628c240b093addb32c46ce0528ad65

SHA512
c597c3c4156d636ff0b2685b06c6ba826707ea79f3fa5dbedca60633d2e67cf74bbabd79b4fded590fd3a574d87c6425d746aa681a4b74a25f6801493430ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\43c726c4-31c6-42e1-bc3c-16318eda0bc9.vbs

Filesize
718B

MD5
736ff423bd8a14502cabd5485584a58c

SHA1
3646ae6c8053e51fc740f4e34b9cb34eb9186f4c

SHA256
54a8b33ec37d3cba66fca0447886d2072584e1db6f408cbf1b51e55f60f24b74

SHA512
be77a087370822833a2bdf7beca375b68833717af7c7a096d94946e9464821f26c5f298240f1fdc1174d5046102376565ae37122cc4d7155b9afe93249e97a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d83547e-9060-43dc-b075-3750111d9ebc.vbs

Filesize
495B

MD5
3c20f856444ce1927867aa289ca486ce

SHA1
280ea43820f44baba0368fb98bdac00403b1834c

SHA256
0f69a3c93c246b587ba4a5a40c8aeee522e0d5382682922e1b68487e8fc534b2

SHA512
4f84bb50b4bff679b3de2373497dd3f658dc83d7228076b63ab15d5d506237d83bfffaa525b6a0a6e12182b868e82c448110819ecc4eed80ffb5c1aabc40c5de

Download Submit
memory/624-81-0x000000001D170000-0x000000001D332000-memory.dmp

Filesize
1.8MB

Download
memory/1576-19-0x00000000031D0000-0x00000000031E6000-memory.dmp

Filesize
88KB

Download
memory/1576-24-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

Filesize
32KB

Download
memory/1576-17-0x000000001C1F0000-0x000000001C240000-memory.dmp

Filesize
320KB

Download
memory/1576-18-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/1576-15-0x0000000003190000-0x000000000319E000-memory.dmp

Filesize
56KB

Download
memory/1576-20-0x00000000031F0000-0x00000000031F8000-memory.dmp

Filesize
32KB

Download
memory/1576-21-0x0000000003200000-0x000000000320A000-memory.dmp

Filesize
40KB

Download
memory/1576-22-0x000000001C240000-0x000000001C296000-memory.dmp

Filesize
344KB

Download
memory/1576-23-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/1576-16-0x00000000031A0000-0x00000000031BC000-memory.dmp

Filesize
112KB

Download
memory/1576-25-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

Filesize
48KB

Download
memory/1576-26-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

Filesize
40KB

Download
memory/1576-27-0x000000001C2C0000-0x000000001C2CE000-memory.dmp

Filesize
56KB

Download
memory/1576-28-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/1576-14-0x0000000003130000-0x000000000313E000-memory.dmp

Filesize
56KB

Download
memory/1576-13-0x0000000000DB0000-0x0000000001056000-memory.dmp

Filesize
2.6MB

Download
memory/1576-12-0x00007FFC8B063000-0x00007FFC8B065000-memory.dmp

Filesize
8KB

Download