dcrat | 80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
Size

745KB
MD5

5e82f4a00b31da2ecd210a7c7575e29d
SHA1

518e5f78b256ee794ebbc8f96275993a9252be23
SHA256

80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e
SHA512

5f794743493acff89407966cdc2b3df386389d90f2468ec5a32c4df2a2ba6dfddea60886ab14a6e9a1b4ddc173989278e2c7397d430aea8c01297b40d782a900
SSDEEP

12288:sBpoIY///1UFxJF80IsoBVnsNxd2LFErkUzw2jtQsnmeTRf7qrc5PPjr21tM/7nf:ZIY/4FcHG/MnUzVhmMRfG4lLr2M/T

Score

10^/10

dcrat njrat hacked discovery evasion infostealer rat trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	5056	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	5056	schtasks.exe	95

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0002000000022d12-6.dat	dcrat
behavioral3/files/0x000800000002342a-37.dat	dcrat
behavioral3/memory/2864-39-0x00000000004E0000-0x00000000005D4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	gggg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	reviewdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	conhost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe

Executes dropped EXE 4 IoCs

pid	Process
3916	gggg.exe
5084	Server.exe
2864	reviewdriver.exe
4056	conhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\04c1e7795967e4	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Mail\Server.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Mail\786bd863e8d80c	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	reviewdriver.exe
File created	C:\Program Files\Common Files\Services\winlogon.exe	reviewdriver.exe
File created	C:\Program Files\Common Files\Services\cc11b995f2a76d	reviewdriver.exe
File created	C:\Program Files\MSBuild\Microsoft\TrustedInstaller.exe	reviewdriver.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\smss.exe	reviewdriver.exe
File opened for modification	C:\Windows\es-ES\smss.exe	reviewdriver.exe
File created	C:\Windows\es-ES\69ddcba757bf72	reviewdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gggg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	gggg.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	reviewdriver.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
744	schtasks.exe
4100	schtasks.exe
4436	schtasks.exe
4992	schtasks.exe
1500	schtasks.exe
220	schtasks.exe
756	schtasks.exe
2960	schtasks.exe
2744	schtasks.exe
4320	schtasks.exe
4964	schtasks.exe
3240	schtasks.exe
956	schtasks.exe
1636	schtasks.exe
2352	schtasks.exe
3388	schtasks.exe
2124	schtasks.exe
2072	schtasks.exe
5068	schtasks.exe
2484	schtasks.exe
4532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2864	reviewdriver.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe
4056	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5084	Server.exe
4056	conhost.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	reviewdriver.exe
Token: SeDebugPrivilege	4056	conhost.exe
Token: SeDebugPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe
Token: 33	5084	Server.exe
Token: SeIncBasePriorityPrivilege	5084	Server.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3916	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	89
PID 5076 wrote to memory of 3916	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	89
PID 5076 wrote to memory of 3916	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	89
PID 5076 wrote to memory of 5084	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	90
PID 5076 wrote to memory of 5084	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	90
PID 5076 wrote to memory of 5084	5076	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	90
PID 3916 wrote to memory of 2984	3916	gggg.exe	93
PID 3916 wrote to memory of 2984	3916	gggg.exe	93
PID 3916 wrote to memory of 2984	3916	gggg.exe	93
PID 2984 wrote to memory of 2976	2984	WScript.exe	96
PID 2984 wrote to memory of 2976	2984	WScript.exe	96
PID 2984 wrote to memory of 2976	2984	WScript.exe	96
PID 2976 wrote to memory of 2864	2976	cmd.exe	98
PID 2976 wrote to memory of 2864	2976	cmd.exe	98
PID 2864 wrote to memory of 3428	2864	reviewdriver.exe	121
PID 2864 wrote to memory of 3428	2864	reviewdriver.exe	121
PID 3428 wrote to memory of 4516	3428	cmd.exe	123
PID 3428 wrote to memory of 4516	3428	cmd.exe	123
PID 3428 wrote to memory of 4056	3428	cmd.exe	126
PID 3428 wrote to memory of 4056	3428	cmd.exe	126
PID 4056 wrote to memory of 1912	4056	conhost.exe	127
PID 4056 wrote to memory of 1912	4056	conhost.exe	127
PID 4056 wrote to memory of 5000	4056	conhost.exe	128
PID 4056 wrote to memory of 5000	4056	conhost.exe	128

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
"C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\gggg.exe
  "C:\Users\Admin\AppData\Local\Temp\gggg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\ChainComponentBrowserwin\reviewdriver.exe
        
        "C:\ChainComponentBrowserwin\reviewdriver.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiMlS8Mhb9.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4516
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b714d46-915f-445e-a1eb-91ef77ffc8fa.vbs"
        8⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c56c9f36-571b-45c8-a35f-aee655d70b1f.vbs"
        8⤵
        
        PID:5000
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Server.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Server" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Server.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\Server.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\ChainComponentBrowserwin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ChainComponentBrowserwin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ChainComponentBrowserwin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat

Filesize
46B

MD5
3e83fda43f1932bb71d930d2f89e68b2

SHA1
1fa2f89990c21a7f0eebfbf06f7064c19e46b081

SHA256
ecb36758516d13f656baac1a37f3af9dd3e683e8aab3847d65bb82c9eb05cb51

SHA512
d6efea92b244d10f5a0e2b228782cc7e1b45fcf262dcc7ea709a9ab8fa458b2e8d3e3bfa4cdf4a4852812d01bb9ff1c7bba65abbe62527e5a84e5b3b15f8ea9b

Download Submit
C:\ChainComponentBrowserwin\reviewdriver.exe

Filesize
948KB

MD5
2e2c059f61338c40914c10d40502e57e

SHA1
e6cb5a1ffdf369b3135c72ab12d71cc3d5f2b053

SHA256
8e4df816223a625bf911553d5f80219f81fc44f07ba98c95f379fd12169c2918

SHA512
1b1f2dae55f50874532b37ad4ab74a54452f65d7499004b37b0afc3dc2c1d16d66a0e41c1733ac1f4cff9993325d32ea714b441c06ba4eba350136835c746d3e

Download Submit
C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe

Filesize
230B

MD5
b9b72befe720ec640eb23938f752a453

SHA1
c621298c3cfac9aa9c5cdfebd5efa0a1b01c7b34

SHA256
bddc35ffa29cfc10fc39778a551335781091aec61771943662e66cdf4c4a07ad

SHA512
4d119e2aba40fe14d624690103d08620369eeeb0a922a3091027a7cf90597db7d491653ed356eb85a45104bdcbd3eb5876e5c4c508ed85d0e235d71a65578f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b714d46-915f-445e-a1eb-91ef77ffc8fa.vbs

Filesize
709B

MD5
b5a6185d500748e27263ad6d8fc655e2

SHA1
bab34e2c806702abe45fd21b40922a2124120517

SHA256
2a505ab8afd1c506d5d8856306e8e62ce6875101b845165ee362e3f28009805f

SHA512
d6900bfeffec1f6407e25094c296789a15a03876c82b4decdf21b05166237bee9ab15a5a3538f79dde306089e315294de833183d534620c5d757f830b4af50de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
43KB

MD5
eab8788760465b2b46598ff289b4b8c4

SHA1
8c7b27c7ec66ea41f7e20afaf1394fb71b7c4a35

SHA256
7ba3084c6d0fcc0e6e1fedfdd04d24768b819aaf309b933d0f4243c37297821f

SHA512
996471d395c297950a4df7140cf0dda388f87ad8a26fb99feb35fa265873b77a7e100520df69770fbe1554ad4bf7f877f9214a61b44326353935dfe7def12ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c56c9f36-571b-45c8-a35f-aee655d70b1f.vbs

Filesize
485B

MD5
04533346e91a633e235fb48696201ff0

SHA1
506ad839ab7e0fa64f316b301008b9c45d65c97f

SHA256
3fca16451641ae9b8f77955c93884d2faf146bdbb9edda90a771d4a7e3903001

SHA512
a07d328899c5f0c65e0bccaa8bb0c3ddb1229f0704bd64b7794fd8079a2bd5d2a241f57a3edd6dd1fbf807218b126768c96b478bc743f92e2b50533655a3dc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggg.exe

Filesize
1.2MB

MD5
c5607848210b7d664771584276d7d7ae

SHA1
9a395fbac63306fa240e51646cad80a803064352

SHA256
16de1516d3fc00a0873b270ffa44f20c13524827a88798e2743afe0bb06b9815

SHA512
ef9c622ee75161fc038456a2a7e7b9e881f66852dd06331fa2fecac13ce4d585b332672d51a6c8ab3dfd5a99de22b863dd52b53750669d0175aea45ed08a6e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiMlS8Mhb9.bat

Filesize
198B

MD5
7bfc1ac8f6cac4f4d7571ae401382948

SHA1
a2a7e4ebcb57154df885ef136d7196a0cd5e240e

SHA256
e6a072219529654ddf81fe6a780ffabb907f711e8a126dd8c473b87d35d3e59f

SHA512
9deb2d205d9eb01abaf22b4e18d849a45295d5df4eec246c78b092602b5d1b268978f636b4a05aa1ee2ffa1772f6590107a8e314dcf25763625866c51808074a

Download Submit
memory/2864-41-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/2864-40-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/2864-42-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/2864-39-0x00000000004E0000-0x00000000005D4000-memory.dmp

Filesize
976KB

Download
memory/5076-1-0x0000000000530000-0x00000000005F0000-memory.dmp

Filesize
768KB

Download
memory/5076-7-0x00007FF99E430000-0x00007FF99EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-19-0x00007FF99E430000-0x00007FF99EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-0-0x00007FF99E433000-0x00007FF99E435000-memory.dmp

Filesize
8KB

Download
memory/5084-22-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/5084-20-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/5084-24-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/5084-23-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/5084-64-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/5084-65-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/5084-66-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/5084-25-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/5084-26-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download