dcrat | 80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
Size

745KB
MD5

5e82f4a00b31da2ecd210a7c7575e29d
SHA1

518e5f78b256ee794ebbc8f96275993a9252be23
SHA256

80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e
SHA512

5f794743493acff89407966cdc2b3df386389d90f2468ec5a32c4df2a2ba6dfddea60886ab14a6e9a1b4ddc173989278e2c7397d430aea8c01297b40d782a900
SSDEEP

12288:sBpoIY///1UFxJF80IsoBVnsNxd2LFErkUzw2jtQsnmeTRf7qrc5PPjr21tM/7nf:ZIY/4FcHG/MnUzVhmMRfG4lLr2M/T

Score

10^/10

dcrat njrat hacked discovery evasion infostealer rat trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

DcRat 60 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5108	schtasks.exe
		4248	schtasks.exe
		3004	schtasks.exe
		2952	schtasks.exe
File created	C:\Windows\TAPI\ebf1f9fa8afd6d		reviewdriver.exe
		3140	schtasks.exe
		4012	schtasks.exe
		3676	schtasks.exe
		2804	schtasks.exe
		1300	schtasks.exe
		724	schtasks.exe
		3656	schtasks.exe
		4392	schtasks.exe
		4952	schtasks.exe
		4576	schtasks.exe
		3776	schtasks.exe
		3440	schtasks.exe
		2148	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation		АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
		3684	schtasks.exe
		5028	schtasks.exe
		948	schtasks.exe
		2228	schtasks.exe
		3744	schtasks.exe
		220	schtasks.exe
		4372	schtasks.exe
		3184	schtasks.exe
		1940	schtasks.exe
		4264	schtasks.exe
		3824	schtasks.exe
		1744	schtasks.exe
		1744	schtasks.exe
		1184	schtasks.exe
		2288	schtasks.exe
		3068	schtasks.exe
		1900	schtasks.exe
		2120	schtasks.exe
		4836	schtasks.exe
		3224	schtasks.exe
		4964	schtasks.exe
		5092	schtasks.exe
		2736	schtasks.exe
		4532	schtasks.exe
		1132	schtasks.exe
		3432	schtasks.exe
		720	schtasks.exe
		4204	schtasks.exe
		3748	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\images\ea9f0e6c9e2dcd		reviewdriver.exe
		4408	schtasks.exe
		888	schtasks.exe
		3268	schtasks.exe
		2144	schtasks.exe
		1936	schtasks.exe
		3712	schtasks.exe
		552	schtasks.exe
		628	schtasks.exe
		836	schtasks.exe
		4088	schtasks.exe
		2920	schtasks.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1344	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1344	schtasks.exe	93

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x000800000001e52a-6.dat	dcrat
behavioral3/files/0x000a000000023494-37.dat	dcrat
behavioral3/memory/2196-39-0x0000000000FF0000-0x00000000010E4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	reviewdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	reviewdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	gggg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe

Executes dropped EXE 5 IoCs

pid	Process
5068	gggg.exe
972	Server.exe
2196	reviewdriver.exe
1000	reviewdriver.exe
4060	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	reviewdriver.exe
File created	C:\Program Files\Common Files\DESIGNER\ea1d8f6d871115	reviewdriver.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\786bd863e8d80c	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\ea9f0e6c9e2dcd	reviewdriver.exe
File created	C:\Program Files (x86)\Common Files\Services\e1ef82546f0b02	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\5b884080fd4f94	reviewdriver.exe
File created	C:\Program Files\Common Files\DESIGNER\upfc.exe	reviewdriver.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\upfc.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\Server.exe	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\WaaSMedicAgent.exe	reviewdriver.exe
File created	C:\Program Files\dotnet\9e8d7a4ca61bd9	reviewdriver.exe
File created	C:\Program Files\dotnet\RuntimeBroker.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0	reviewdriver.exe
File created	C:\Program Files (x86)\Internet Explorer\images\taskhostw.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Internet Explorer\images\ea9f0e6c9e2dcd	reviewdriver.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe	reviewdriver.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\c82b8037eab33d	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe	reviewdriver.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	reviewdriver.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe	reviewdriver.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\886983d96e3d3e	reviewdriver.exe
File created	C:\Windows\Provisioning\Packages\sysmon.exe	reviewdriver.exe
File created	C:\Windows\Provisioning\Packages\121e5b5079f7c0	reviewdriver.exe
File created	C:\Windows\TAPI\cmd.exe	reviewdriver.exe
File created	C:\Windows\TAPI\ebf1f9fa8afd6d	reviewdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gggg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	gggg.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	reviewdriver.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1744	schtasks.exe
1936	schtasks.exe
2288	schtasks.exe
3712	schtasks.exe
2920	schtasks.exe
2804	schtasks.exe
4408	schtasks.exe
3748	schtasks.exe
2120	schtasks.exe
3140	schtasks.exe
3776	schtasks.exe
1940	schtasks.exe
720	schtasks.exe
948	schtasks.exe
5108	schtasks.exe
4952	schtasks.exe
3684	schtasks.exe
724	schtasks.exe
5092	schtasks.exe
2736	schtasks.exe
220	schtasks.exe
4204	schtasks.exe
3068	schtasks.exe
1900	schtasks.exe
3824	schtasks.exe
1744	schtasks.exe
836	schtasks.exe
3184	schtasks.exe
3004	schtasks.exe
1300	schtasks.exe
2228	schtasks.exe
3224	schtasks.exe
1184	schtasks.exe
2952	schtasks.exe
3440	schtasks.exe
3432	schtasks.exe
3744	schtasks.exe
4012	schtasks.exe
4576	schtasks.exe
4372	schtasks.exe
4392	schtasks.exe
552	schtasks.exe
5028	schtasks.exe
3268	schtasks.exe
4264	schtasks.exe
3676	schtasks.exe
4836	schtasks.exe
4532	schtasks.exe
628	schtasks.exe
3656	schtasks.exe
2148	schtasks.exe
888	schtasks.exe
4088	schtasks.exe
1132	schtasks.exe
2144	schtasks.exe
4964	schtasks.exe
4248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
2196	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
1000	reviewdriver.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe
4060	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
972	Server.exe
4060	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	reviewdriver.exe
Token: SeDebugPrivilege	1000	reviewdriver.exe
Token: SeDebugPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: SeDebugPrivilege	4060	taskhostw.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe
Token: 33	972	Server.exe
Token: SeIncBasePriorityPrivilege	972	Server.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 5068	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 400 wrote to memory of 5068	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 400 wrote to memory of 5068	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 400 wrote to memory of 972	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	88
PID 400 wrote to memory of 972	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	88
PID 400 wrote to memory of 972	400	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	88
PID 5068 wrote to memory of 2992	5068	gggg.exe	89
PID 5068 wrote to memory of 2992	5068	gggg.exe	89
PID 5068 wrote to memory of 2992	5068	gggg.exe	89
PID 2992 wrote to memory of 1172	2992	WScript.exe	94
PID 2992 wrote to memory of 1172	2992	WScript.exe	94
PID 2992 wrote to memory of 1172	2992	WScript.exe	94
PID 1172 wrote to memory of 2196	1172	cmd.exe	96
PID 1172 wrote to memory of 2196	1172	cmd.exe	96
PID 2196 wrote to memory of 748	2196	reviewdriver.exe	112
PID 2196 wrote to memory of 748	2196	reviewdriver.exe	112
PID 748 wrote to memory of 3172	748	cmd.exe	115
PID 748 wrote to memory of 3172	748	cmd.exe	115
PID 748 wrote to memory of 1000	748	cmd.exe	118
PID 748 wrote to memory of 1000	748	cmd.exe	118
PID 1000 wrote to memory of 4060	1000	reviewdriver.exe	161
PID 1000 wrote to memory of 4060	1000	reviewdriver.exe	161
PID 4060 wrote to memory of 3144	4060	taskhostw.exe	162
PID 4060 wrote to memory of 3144	4060	taskhostw.exe	162
PID 4060 wrote to memory of 2276	4060	taskhostw.exe	163
PID 4060 wrote to memory of 2276	4060	taskhostw.exe	163

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
"C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\gggg.exe
  "C:\Users\Admin\AppData\Local\Temp\gggg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\ChainComponentBrowserwin\reviewdriver.exe
        
        "C:\ChainComponentBrowserwin\reviewdriver.exe"
        5⤵
        DcRat
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRAp4BHdTQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3172
        
        C:\ChainComponentBrowserwin\reviewdriver.exe
        
        "C:\ChainComponentBrowserwin\reviewdriver.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1000
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e7d9245-30e0-4eea-a670-c3aa8961fa09.vbs"
        9⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6337e5c6-9eca-4326-b7d3-b7a893a3c8d1.vbs"
        9⤵
        
        PID:2276
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\images\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Server.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Server" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Server.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Server.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Packages\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat

Filesize
46B

MD5
3e83fda43f1932bb71d930d2f89e68b2

SHA1
1fa2f89990c21a7f0eebfbf06f7064c19e46b081

SHA256
ecb36758516d13f656baac1a37f3af9dd3e683e8aab3847d65bb82c9eb05cb51

SHA512
d6efea92b244d10f5a0e2b228782cc7e1b45fcf262dcc7ea709a9ab8fa458b2e8d3e3bfa4cdf4a4852812d01bb9ff1c7bba65abbe62527e5a84e5b3b15f8ea9b

Download Submit
C:\ChainComponentBrowserwin\reviewdriver.exe

Filesize
948KB

MD5
2e2c059f61338c40914c10d40502e57e

SHA1
e6cb5a1ffdf369b3135c72ab12d71cc3d5f2b053

SHA256
8e4df816223a625bf911553d5f80219f81fc44f07ba98c95f379fd12169c2918

SHA512
1b1f2dae55f50874532b37ad4ab74a54452f65d7499004b37b0afc3dc2c1d16d66a0e41c1733ac1f4cff9993325d32ea714b441c06ba4eba350136835c746d3e

Download Submit
C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe

Filesize
230B

MD5
b9b72befe720ec640eb23938f752a453

SHA1
c621298c3cfac9aa9c5cdfebd5efa0a1b01c7b34

SHA256
bddc35ffa29cfc10fc39778a551335781091aec61771943662e66cdf4c4a07ad

SHA512
4d119e2aba40fe14d624690103d08620369eeeb0a922a3091027a7cf90597db7d491653ed356eb85a45104bdcbd3eb5876e5c4c508ed85d0e235d71a65578f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewdriver.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\6337e5c6-9eca-4326-b7d3-b7a893a3c8d1.vbs

Filesize
527B

MD5
34ea664a6a012abe40cb2630e1a0f36e

SHA1
d66f8599fc1074001cdb63fbb1146132f082ea54

SHA256
f288a95cc8af47560c3f9edfadb8ee9c4afd55a504d442c158a1bf911f1f7a64

SHA512
082bc4f1990d67e867620512f761b6ac955ca978b1e370d5e4b2e62e77536412883d072cb4948ff2f29798842cc4c9e5741e8591546317ff437db5114ecf784e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e7d9245-30e0-4eea-a670-c3aa8961fa09.vbs

Filesize
751B

MD5
d7215b94cdc26dbea19eef33f0c778dd

SHA1
bde6b9788ad0709fb6bf0d0ece4080692152cf7b

SHA256
d640617be668646b5331c0f4e6d4cb90ded49c7a12559aafb981b289884232bb

SHA512
cc6e88931ca9e89e9ed2090dda8d73edf0c836e631e566911ed00e4c984272ebeb2dfc87b018f86b1f91c6f4746b2cc581bc5315241d09139bf3e9d07c9a9373

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRAp4BHdTQ.bat

Filesize
209B

MD5
98ec1aee0cd6c994fcea7f2477a034e8

SHA1
16adbddef56ed4930ddeb1d3f3ed36bc4334aa6a

SHA256
5f6f75565de72c120e46c030d4c9bc0325ed2ae37a1b9745ac2d16df0babaa93

SHA512
069a4cda64ce7095060de518138d7fc9ecbee36de5540b6d23ba75448d80166040c93b70154420caef1b398dc978e69d6ba9ac18b2c080c6a2d7f9fc4d6473a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
43KB

MD5
eab8788760465b2b46598ff289b4b8c4

SHA1
8c7b27c7ec66ea41f7e20afaf1394fb71b7c4a35

SHA256
7ba3084c6d0fcc0e6e1fedfdd04d24768b819aaf309b933d0f4243c37297821f

SHA512
996471d395c297950a4df7140cf0dda388f87ad8a26fb99feb35fa265873b77a7e100520df69770fbe1554ad4bf7f877f9214a61b44326353935dfe7def12ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggg.exe

Filesize
1.2MB

MD5
c5607848210b7d664771584276d7d7ae

SHA1
9a395fbac63306fa240e51646cad80a803064352

SHA256
16de1516d3fc00a0873b270ffa44f20c13524827a88798e2743afe0bb06b9815

SHA512
ef9c622ee75161fc038456a2a7e7b9e881f66852dd06331fa2fecac13ce4d585b332672d51a6c8ab3dfd5a99de22b863dd52b53750669d0175aea45ed08a6e8b

Download Submit
C:\Users\Default User\9e8d7a4ca61bd9

Filesize
922B

MD5
921946537ddcdcc5e510e4c41c3de3e6

SHA1
02d74ff3e6e08a9a0e6a93a08e6663dae5663fe1

SHA256
7bedc24f0cf5f4560c20a2ec5251c23a26e0b3f412992824efe2247f7f440991

SHA512
8fb0c86248bbddfd923ae73ccf7a617289ad43e0de235d258e04f1e529024488e49366cf6e1cfd12cdc59d5c74ec5e3cdd66ad1f69d709d3da4f2138f0f9279d

Download Submit
memory/400-7-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/400-0-0x00007FFA09743000-0x00007FFA09745000-memory.dmp

Filesize
8KB

Download
memory/400-18-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/400-1-0x0000000000880000-0x0000000000940000-memory.dmp

Filesize
768KB

Download
memory/972-20-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/972-26-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/972-60-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/972-61-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/972-62-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/972-25-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/972-24-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/972-23-0x0000000004C10000-0x0000000004CAC000-memory.dmp

Filesize
624KB

Download
memory/972-22-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/2196-39-0x0000000000FF0000-0x00000000010E4000-memory.dmp

Filesize
976KB

Download
memory/2196-40-0x00000000019C0000-0x00000000019CA000-memory.dmp

Filesize
40KB

Download
memory/2196-42-0x0000000003290000-0x000000000329A000-memory.dmp

Filesize
40KB

Download
memory/2196-41-0x00000000019D0000-0x00000000019DC000-memory.dmp

Filesize
48KB

Download