dcrat | 9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B5DE23814A83134FCA7CE2DBC450AF36.exe
Size

2.0MB
MD5

b5de23814a83134fca7ce2dbc450af36
SHA1

b5592ad63cbc1706a66dbf7d4c9d833572ab1ecc
SHA256

9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
SHA512

775b910fa2918ff3a49d75beb93b51a2f09ab7cf679dab6b1046b261962b2e35d0b326bea528d195fde52259ff1692b46659b9a64cc930e5f097d4abe5752c87
SSDEEP

49152:MnOpOCv0Z29PyAey5pV/ohTXY2H2mS5auQi0dGf1ecKxClrpHZ:tON+v5p2TXvWfUeEIR

Score

10^/10

dcrat njrat umbral xworm discovery evasion execution infostealer persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1276901959336595519/rnT2bUPlA6cH1e0gUJyRqEX6pBDNwefr13SwZvDBO14mTuQ8UwQDE9Xp0Hqk7Lk4A6UI

Extracted

Family

xworm

21.ip.gl.ply.gg:29567

Attributes

Install_directory
%Temp%
install_file
runtimebroken.exe

Signatures

DcRat 51 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2904	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtimebroken = "C:\\Users\\Admin\\AppData\\Local\\Temp\\runtimebroken.exe"		XClient.exe
		2356	schtasks.exe
		3036	schtasks.exe
		1188	schtasks.exe
		2684	schtasks.exe
		1332	schtasks.exe
		776	schtasks.exe
		2748	schtasks.exe
		2756	schtasks.exe
		2536	schtasks.exe
		2192	schtasks.exe
		2880	schtasks.exe
		1788	schtasks.exe
		2804	schtasks.exe
		1572	schtasks.exe
		1632	schtasks.exe
		2968	schtasks.exe
		980	schtasks.exe
		2284	schtasks.exe
		2416	schtasks.exe
		2812	schtasks.exe
		1796	schtasks.exe
		2844	schtasks.exe
		2992	schtasks.exe
		2916	schtasks.exe
		1284	schtasks.exe
		2912	schtasks.exe
		2080	schtasks.exe
		1608	schtasks.exe
		1172	schtasks.exe
		1944	schtasks.exe
		356	schtasks.exe
		912	schtasks.exe
		2440	schtasks.exe
		2984	schtasks.exe
		1676	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		B5DE23814A83134FCA7CE2DBC450AF36.exe
		2800	schtasks.exe
		2816	schtasks.exe
		1896	schtasks.exe
		2248	schtasks.exe
		1212	schtasks.exe
		1648	schtasks.exe
		600	schtasks.exe
		2704	schtasks.exe
		1456	schtasks.exe
		2152	schtasks.exe
		2036	schtasks.exe
		2976	schtasks.exe
		2932	schtasks.exe

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227f-3.dat	family_umbral
behavioral1/memory/2568-45-0x0000000000BD0000-0x0000000000C10000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ddf-10.dat	family_xworm
behavioral1/memory/2108-43-0x0000000000150000-0x000000000016A000-memory.dmp	family_xworm
behavioral1/memory/2496-142-0x0000000000830000-0x000000000084A000-memory.dmp	family_xworm
behavioral1/memory/2360-145-0x00000000003C0000-0x00000000003DA000-memory.dmp	family_xworm

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2664	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2664	schtasks.exe	36

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000175e4-31.dat	dcrat
behavioral1/files/0x00050000000193e6-88.dat	dcrat
behavioral1/memory/2540-89-0x0000000000960000-0x0000000000ADA000-memory.dmp	dcrat
behavioral1/memory/2168-138-0x0000000000240000-0x00000000003BA000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
1540	powershell.exe
1132	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dUmbral.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2696	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroken.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroken.lnk	XClient.exe

Executes dropped EXE 10 IoCs

pid	Process
2568	dUmbral.exe
2108	XClient.exe
1188	sheetr.exe
1280	nbClient.exe
2756	DCRatBuild.exe
2204	WindowsServices.exe
2540	surrogatewin.exe
2168	PING.exe
2496	runtimebroken.exe
2360	runtimebroken.exe

Loads dropped DLL 8 IoCs

pid	Process
2476	B5DE23814A83134FCA7CE2DBC450AF36.exe
2476	B5DE23814A83134FCA7CE2DBC450AF36.exe
2476	B5DE23814A83134FCA7CE2DBC450AF36.exe
2476	B5DE23814A83134FCA7CE2DBC450AF36.exe
2476	B5DE23814A83134FCA7CE2DBC450AF36.exe
1280	nbClient.exe
900	cmd.exe
900	cmd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtimebroken = "C:\\Users\\Admin\\AppData\\Local\\Temp\\runtimebroken.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\d21edb049c65ebaba2de22a974b4ef03 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d21edb049c65ebaba2de22a974b4ef03 = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .."	WindowsServices.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\088424020bedd6	surrogatewin.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\audiodg.exe	surrogatewin.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\42af1c969fbb7b	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	surrogatewin.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	surrogatewin.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\conhost.exe	surrogatewin.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\101b941d020240	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	surrogatewin.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e	surrogatewin.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	surrogatewin.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe	surrogatewin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe	surrogatewin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\5940a34987c991	surrogatewin.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\assembly\csrss.exe	surrogatewin.exe
File created	C:\Windows\assembly\886983d96e3d3e	surrogatewin.exe
File created	C:\Windows\Panther\actionqueue\cmd.exe	surrogatewin.exe
File created	C:\Windows\Panther\actionqueue\ebf1f9fa8afd6d	surrogatewin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B5DE23814A83134FCA7CE2DBC450AF36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1128	cmd.exe
1748	PING.EXE
2168	PING.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1680	wmic.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2168	PING.exe
1748	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 49 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1284	schtasks.exe
912	schtasks.exe
2416	schtasks.exe
2804	schtasks.exe
1188	schtasks.exe
776	schtasks.exe
3036	schtasks.exe
2748	schtasks.exe
1788	schtasks.exe
1212	schtasks.exe
2968	schtasks.exe
2916	schtasks.exe
2080	schtasks.exe
600	schtasks.exe
1332	schtasks.exe
2536	schtasks.exe
1796	schtasks.exe
2284	schtasks.exe
1632	schtasks.exe
1608	schtasks.exe
2984	schtasks.exe
2976	schtasks.exe
2800	schtasks.exe
2192	schtasks.exe
1456	schtasks.exe
980	schtasks.exe
1676	schtasks.exe
2904	schtasks.exe
2684	schtasks.exe
2912	schtasks.exe
2152	schtasks.exe
2812	schtasks.exe
1896	schtasks.exe
1648	schtasks.exe
2816	schtasks.exe
2036	schtasks.exe
2248	schtasks.exe
1944	schtasks.exe
2844	schtasks.exe
2756	schtasks.exe
2440	schtasks.exe
2704	schtasks.exe
1572	schtasks.exe
2992	schtasks.exe
2880	schtasks.exe
2356	schtasks.exe
1172	schtasks.exe
2932	schtasks.exe
356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2568	dUmbral.exe
1424	powershell.exe
1540	powershell.exe
2108	XClient.exe
1132	powershell.exe
2540	surrogatewin.exe
2168	PING.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	XClient.exe
Token: SeDebugPrivilege	2568	dUmbral.exe
Token: SeIncreaseQuotaPrivilege	620	wmic.exe
Token: SeSecurityPrivilege	620	wmic.exe
Token: SeTakeOwnershipPrivilege	620	wmic.exe
Token: SeLoadDriverPrivilege	620	wmic.exe
Token: SeSystemProfilePrivilege	620	wmic.exe
Token: SeSystemtimePrivilege	620	wmic.exe
Token: SeProfSingleProcessPrivilege	620	wmic.exe
Token: SeIncBasePriorityPrivilege	620	wmic.exe
Token: SeCreatePagefilePrivilege	620	wmic.exe
Token: SeBackupPrivilege	620	wmic.exe
Token: SeRestorePrivilege	620	wmic.exe
Token: SeShutdownPrivilege	620	wmic.exe
Token: SeDebugPrivilege	620	wmic.exe
Token: SeSystemEnvironmentPrivilege	620	wmic.exe
Token: SeRemoteShutdownPrivilege	620	wmic.exe
Token: SeUndockPrivilege	620	wmic.exe
Token: SeManageVolumePrivilege	620	wmic.exe
Token: 33	620	wmic.exe
Token: 34	620	wmic.exe
Token: 35	620	wmic.exe
Token: SeIncreaseQuotaPrivilege	620	wmic.exe
Token: SeSecurityPrivilege	620	wmic.exe
Token: SeTakeOwnershipPrivilege	620	wmic.exe
Token: SeLoadDriverPrivilege	620	wmic.exe
Token: SeSystemProfilePrivilege	620	wmic.exe
Token: SeSystemtimePrivilege	620	wmic.exe
Token: SeProfSingleProcessPrivilege	620	wmic.exe
Token: SeIncBasePriorityPrivilege	620	wmic.exe
Token: SeCreatePagefilePrivilege	620	wmic.exe
Token: SeBackupPrivilege	620	wmic.exe
Token: SeRestorePrivilege	620	wmic.exe
Token: SeShutdownPrivilege	620	wmic.exe
Token: SeDebugPrivilege	620	wmic.exe
Token: SeSystemEnvironmentPrivilege	620	wmic.exe
Token: SeRemoteShutdownPrivilege	620	wmic.exe
Token: SeUndockPrivilege	620	wmic.exe
Token: SeManageVolumePrivilege	620	wmic.exe
Token: 33	620	wmic.exe
Token: 34	620	wmic.exe
Token: 35	620	wmic.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2108	XClient.exe
Token: SeIncreaseQuotaPrivilege	2336	wmic.exe
Token: SeSecurityPrivilege	2336	wmic.exe
Token: SeTakeOwnershipPrivilege	2336	wmic.exe
Token: SeLoadDriverPrivilege	2336	wmic.exe
Token: SeSystemProfilePrivilege	2336	wmic.exe
Token: SeSystemtimePrivilege	2336	wmic.exe
Token: SeProfSingleProcessPrivilege	2336	wmic.exe
Token: SeIncBasePriorityPrivilege	2336	wmic.exe
Token: SeCreatePagefilePrivilege	2336	wmic.exe
Token: SeBackupPrivilege	2336	wmic.exe
Token: SeRestorePrivilege	2336	wmic.exe
Token: SeShutdownPrivilege	2336	wmic.exe
Token: SeDebugPrivilege	2336	wmic.exe
Token: SeSystemEnvironmentPrivilege	2336	wmic.exe
Token: SeRemoteShutdownPrivilege	2336	wmic.exe
Token: SeUndockPrivilege	2336	wmic.exe
Token: SeManageVolumePrivilege	2336	wmic.exe
Token: 33	2336	wmic.exe
Token: 34	2336	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2568	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	30
PID 2476 wrote to memory of 2568	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	30
PID 2476 wrote to memory of 2568	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	30
PID 2476 wrote to memory of 2568	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	30
PID 2476 wrote to memory of 2108	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	31
PID 2476 wrote to memory of 2108	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	31
PID 2476 wrote to memory of 2108	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	31
PID 2476 wrote to memory of 2108	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	31
PID 2476 wrote to memory of 1188	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	32
PID 2476 wrote to memory of 1188	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	32
PID 2476 wrote to memory of 1188	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	32
PID 2476 wrote to memory of 1188	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	32
PID 2476 wrote to memory of 1280	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	33
PID 2476 wrote to memory of 1280	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	33
PID 2476 wrote to memory of 1280	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	33
PID 2476 wrote to memory of 1280	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	33
PID 2476 wrote to memory of 2756	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	34
PID 2476 wrote to memory of 2756	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	34
PID 2476 wrote to memory of 2756	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	34
PID 2476 wrote to memory of 2756	2476	B5DE23814A83134FCA7CE2DBC450AF36.exe	34
PID 2756 wrote to memory of 2636	2756	DCRatBuild.exe	35
PID 2756 wrote to memory of 2636	2756	DCRatBuild.exe	35
PID 2756 wrote to memory of 2636	2756	DCRatBuild.exe	35
PID 2756 wrote to memory of 2636	2756	DCRatBuild.exe	35
PID 2568 wrote to memory of 620	2568	dUmbral.exe	37
PID 2568 wrote to memory of 620	2568	dUmbral.exe	37
PID 2568 wrote to memory of 620	2568	dUmbral.exe	37
PID 2568 wrote to memory of 1584	2568	dUmbral.exe	39
PID 2568 wrote to memory of 1584	2568	dUmbral.exe	39
PID 2568 wrote to memory of 1584	2568	dUmbral.exe	39
PID 2568 wrote to memory of 1424	2568	dUmbral.exe	41
PID 2568 wrote to memory of 1424	2568	dUmbral.exe	41
PID 2568 wrote to memory of 1424	2568	dUmbral.exe	41
PID 2568 wrote to memory of 1540	2568	dUmbral.exe	43
PID 2568 wrote to memory of 1540	2568	dUmbral.exe	43
PID 2568 wrote to memory of 1540	2568	dUmbral.exe	43
PID 2108 wrote to memory of 2904	2108	XClient.exe	45
PID 2108 wrote to memory of 2904	2108	XClient.exe	45
PID 2108 wrote to memory of 2904	2108	XClient.exe	45
PID 2568 wrote to memory of 2336	2568	dUmbral.exe	47
PID 2568 wrote to memory of 2336	2568	dUmbral.exe	47
PID 2568 wrote to memory of 2336	2568	dUmbral.exe	47
PID 2568 wrote to memory of 1556	2568	dUmbral.exe	49
PID 2568 wrote to memory of 1556	2568	dUmbral.exe	49
PID 2568 wrote to memory of 1556	2568	dUmbral.exe	49
PID 2568 wrote to memory of 1780	2568	dUmbral.exe	51
PID 2568 wrote to memory of 1780	2568	dUmbral.exe	51
PID 2568 wrote to memory of 1780	2568	dUmbral.exe	51
PID 2568 wrote to memory of 1132	2568	dUmbral.exe	53
PID 2568 wrote to memory of 1132	2568	dUmbral.exe	53
PID 2568 wrote to memory of 1132	2568	dUmbral.exe	53
PID 2568 wrote to memory of 1680	2568	dUmbral.exe	55
PID 2568 wrote to memory of 1680	2568	dUmbral.exe	55
PID 2568 wrote to memory of 1680	2568	dUmbral.exe	55
PID 2568 wrote to memory of 1128	2568	dUmbral.exe	57
PID 2568 wrote to memory of 1128	2568	dUmbral.exe	57
PID 2568 wrote to memory of 1128	2568	dUmbral.exe	57
PID 1128 wrote to memory of 1748	1128	cmd.exe	59
PID 1128 wrote to memory of 1748	1128	cmd.exe	59
PID 1128 wrote to memory of 1748	1128	cmd.exe	59
PID 2636 wrote to memory of 900	2636	WScript.exe	60
PID 2636 wrote to memory of 900	2636	WScript.exe	60
PID 2636 wrote to memory of 900	2636	WScript.exe	60
PID 2636 wrote to memory of 900	2636	WScript.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\B5DE23814A83134FCA7CE2DBC450AF36.exe
"C:\Users\Admin\AppData\Local\Temp\B5DE23814A83134FCA7CE2DBC450AF36.exe"
1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\dUmbral.exe
  "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dUmbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1556
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1680
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dUmbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1748
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - DcRat
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runtimebroken" /tr "C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe"
    3⤵
    - DcRat
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\sheetr.exe
  "C:\Users\Admin\AppData\Local\Temp\sheetr.exe"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\nbClient.exe
  "C:\Users\Admin\AppData\Local\Temp\nbClient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Users\Admin\AppData\Roaming\WindowsServices.exe
    "C:\Users\Admin\AppData\Roaming\WindowsServices.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2204
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2696
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\5wuflk5eGDg0JiUtQB.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\zjek1GJ52LhRCMyRfAhZF9WxGZ.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:900
    - - C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psUFO4ooDf.bat"
        6⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2392
        
        C:\Users\Default User\PING.exe
        
        "C:\Users\Default User\PING.exe"
        7⤵
        Executes dropped EXE
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PINGP" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\PING.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PING" /sc ONLOGON /tr "'C:\Users\Default User\PING.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PINGP" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\PING.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\2d53f482-3d8b-11ef-b05d-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\taskeng.exe
taskeng.exe {FC3CB583-C9AE-434A-9BDF-4CECA54806F2} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
  C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
  C:\Users\Admin\AppData\Local\Temp\runtimebroken.exe
  2⤵
  - Executes dropped EXE
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\5wuflk5eGDg0JiUtQB.vbe

Filesize
230B

MD5
fb88e36782a5f55e36e02ff67da91cea

SHA1
a0fc273d88ade34a1da708ad049cc6ff0d94a940

SHA256
786d99584ff3356774ebbeb9cf60c0e926ef26fc8b673d771f774b7494fb11f6

SHA512
bc80fcc246a047f289cf714d13ff5a5ec00eae0583c597b666b06c9a5240c6b30f85415efc318af2e6406da98d37b4b344cc2c9f9e264948a822f3ad65a25f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\surrogatewin.exe

Filesize
1.4MB

MD5
20e7cb182292241f014bf6db7f6d66cb

SHA1
a79831502d62923c432e6af1a57922110a51cfb9

SHA256
6de0eaace2e3dbab84cffb0bca1f4a6ceffff3f365d5c22e76ebe36adbd3bfc7

SHA512
6c0d2c73e219cc256c4ef03a00afedd9183442ccdb5d2758eae9f537ac0df1118b287170ec7fabab16785eac256216e481576383d144b5a160ff6978a765697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehypercomponentref\zjek1GJ52LhRCMyRfAhZF9WxGZ.bat

Filesize
49B

MD5
62da6e82dd863cf101ddefb852179c91

SHA1
3746be98f65363f882ade790b0c01be1b567eb94

SHA256
7aead51c224afd6a0cf70e0ce00d776de2689818a5b2725539f184feadf84dcf

SHA512
15862e2179b250fdf1f1d7c98c2d7859076d733598675ded5e0def5aa36c44062acae71c22a52ce500329da1dc5e3860d474bb9dca60d6b476bf2005fefc4d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbClient.exe

Filesize
159KB

MD5
e549fad14348aca3370ada071cec4caa

SHA1
294999dde4423250a1a71d7f2645712b6c2506a5

SHA256
252b5235a50cc20edad06dc4e1f9befbac3f446a7f2b61994655430c9b89484f

SHA512
6addaf79cb078f34076d9b0a55ed672dc54f0d756d237a0c3eaed218ab037a1f888fda10515b356c39db492aa21ad7f10de7f694ffd42aa2b4d45bd7d15b98ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\psUFO4ooDf.bat

Filesize
195B

MD5
5118259333069680f2b728e9e150027a

SHA1
989c80ee1ec2a3ef439014480b86d7bb7267f27b

SHA256
4d0d1427db6759dee5fbce22a357036ef20edd5d2cee3ef93c960d8334efdb47

SHA512
c32d2f7851e2b81f1f1f7bebf16e72c13d9d3b041d9e0b67898f6950a2ad2dea92fc90d1efd03145c6fdd607219e9fbaecb4af0b6fcb90fa0c0f5499ea3ef0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dffe8acdd529a409298683dc794a0f2e

SHA1
4ad4f4d7cad4df9fdcb36715fa129dd826621de6

SHA256
8e446923164de5e2359ed94267d82f12d80706f4ce12d042ad740f823db4afa5

SHA512
111cf6d3581b26925118f214762da72aef5f210da2245e18348d2e918d04f2b19312054675099b21c6edcf2b6f89d36a49e7a5bd5cfa068cf0e509ce357f18c1

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.7MB

MD5
4296d05b7cbc2a5434fcbce0b223207a

SHA1
b9722fc0b88992a694ba9fda339589290e43c02e

SHA256
c8e0942be2254be75620a9985347888f94a848a238f6c1558848b42bc1d381f1

SHA512
0413160847169ebf9ddaa5081d1f5a0a6c04428186a8265151c81bd8ecc01dc4a80631de21a40acf03d53b90919331d6a15450476baeaa2f0b70a0857c464f04

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
75KB

MD5
462b4ff944b4c0a49a599bbf9b14ef07

SHA1
ca336da45ccfabe9768a91a1e86a3addd42855ac

SHA256
69c75fcc62bba3cdbfad6e0851fa249eb7ae0fbe1c50b16507dbb0573a2d6ae7

SHA512
64ca6271d23c0875abbecdf84d24d1b95387f54fd7e94396b537a32d0c400efe26af293f7aac519111bf2a7c87cd8b1bc57ee7f7bf12baa5f1fdf2991dd7986c

Download Submit
\Users\Admin\AppData\Local\Temp\dUmbral.exe

Filesize
232KB

MD5
4867d27de23cded5f2229c322bf6f3fe

SHA1
04cd16ac5d6a2f5b7bc1db8cdefd128d0f6c2fe1

SHA256
94357a5e0e0d52490a07fffd0a8940f7ffdf25acb16602d83120fc99722f88eb

SHA512
b7ced6d7a420c55813388755d765a015cb65c6393cdeffaff4be6cb7c00845434161a3282ce7d316800da42766d9c309487dc2e96b74340f47b20032632f8909

Download Submit
\Users\Admin\AppData\Local\Temp\sheetr.exe

Filesize
516KB

MD5
bb854fb457e4782e20586b2e873cc76e

SHA1
057f10ed64625edb33d95f6100096f9637ee1b15

SHA256
0785e1f0d682986903eed2d98b82c1e9eef3cf6592d584bf5024f54f50c83c42

SHA512
d90d1a26cc0d8e064e7f642f34b306b7cd299f5b6dd160d61e016d8448241c4ae0ce9382d477f8301c2205a2bd31a187f7ea5fdc4f149086b031bed715460524

Download Submit
memory/1132-74-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1188-44-0x0000000000150000-0x00000000001D8000-memory.dmp

Filesize
544KB

Download
memory/1424-52-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1424-53-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1540-60-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1540-59-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2108-43-0x0000000000150000-0x000000000016A000-memory.dmp

Filesize
104KB

Download
memory/2168-138-0x0000000000240000-0x00000000003BA000-memory.dmp

Filesize
1.5MB

Download
memory/2360-145-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/2496-142-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/2540-95-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/2540-93-0x00000000020A0000-0x00000000020AC000-memory.dmp

Filesize
48KB

Download
memory/2540-94-0x00000000020B0000-0x00000000020C2000-memory.dmp

Filesize
72KB

Download
memory/2540-89-0x0000000000960000-0x0000000000ADA000-memory.dmp

Filesize
1.5MB

Download
memory/2540-96-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/2540-97-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2540-91-0x0000000002070000-0x0000000002086000-memory.dmp

Filesize
88KB

Download
memory/2540-92-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/2540-90-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/2568-45-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download