dcrat | d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeverLose Crack by Lick0_.exe
Size

2.8MB
MD5

3687f8b8c673eb5541ed071b708dc5a5
SHA1

e019bc82b0fd67875615673c0ac07013962077af
SHA256

d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0
SHA512

510c3298b7dfaa02657dcec9ab63ef3eac6d15a9b946daff7d07ab840ef8331531a90b1873fe37f9c694c6d5ff88216c5d4e81b9b7db08eb51fd8da1aae7931f
SSDEEP

49152:MbA3Q4etyON8AHfj+roH3t1Um1K7gAV2Oinx8WL8+oGidW6:MbXnyBroXts7NyxlZD6

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2552	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2552	schtasks.exe	39

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x000600000001926a-30.dat	dcrat
behavioral1/memory/2932-34-0x0000000000110000-0x000000000038E000-memory.dmp	dcrat
behavioral1/memory/1572-65-0x0000000001370000-0x00000000015EE000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

ComSurrogateDriver.exeservices.exe

pid	Process
2932	ComSurrogateDriver.exe
1572	services.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2108	cmd.exe
2108	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in Program Files directory 9 IoCs

Processes:

ComSurrogateDriver.exe

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\Idle.exe	ComSurrogateDriver.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\c5b4cb5e9653cc	ComSurrogateDriver.exe
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	ComSurrogateDriver.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	ComSurrogateDriver.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\6ccacd8608530f	ComSurrogateDriver.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\services.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\ComSurrogateDriver.exe	ComSurrogateDriver.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\ComSurrogateDriver.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\78ce611dcc8301	ComSurrogateDriver.exe

Drops file in Windows directory 3 IoCs

Processes:

ComSurrogateDriver.exe

description	ioc	Process
File created	C:\Windows\Boot\lsass.exe	ComSurrogateDriver.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe	ComSurrogateDriver.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\c5b4cb5e9653cc	ComSurrogateDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.execmd.exeNeverLose Crack by Lick0_.exeWScript.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeverLose Crack by Lick0_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2684	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
788	schtasks.exe
2972	schtasks.exe
2788	schtasks.exe
2900	schtasks.exe
824	schtasks.exe
3016	schtasks.exe
2316	schtasks.exe
1272	schtasks.exe
1436	schtasks.exe
1368	schtasks.exe
1240	schtasks.exe
1752	schtasks.exe
2184	schtasks.exe
1252	schtasks.exe
2240	schtasks.exe
880	schtasks.exe
1624	schtasks.exe
1644	schtasks.exe
1616	schtasks.exe
1152	schtasks.exe
2716	schtasks.exe
888	schtasks.exe
1908	schtasks.exe
1564	schtasks.exe
2064	schtasks.exe
3068	schtasks.exe
408	schtasks.exe
2880	schtasks.exe
2916	schtasks.exe
2124	schtasks.exe
2188	schtasks.exe
2196	schtasks.exe
2008	schtasks.exe
1020	schtasks.exe
1596	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ComSurrogateDriver.exeservices.exe

pid	Process
2932	ComSurrogateDriver.exe
2932	ComSurrogateDriver.exe
2932	ComSurrogateDriver.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe
1572	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ComSurrogateDriver.exeservices.exe

description	pid	Process
Token: SeDebugPrivilege	2932	ComSurrogateDriver.exe
Token: SeDebugPrivilege	1572	services.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NeverLose Crack by Lick0_.execmd.execmd.exeWScript.execmd.exeComSurrogateDriver.exe

description	pid	Process	procid_target
PID 1652 wrote to memory of 1056	1652	NeverLose Crack by Lick0_.exe	30
PID 1652 wrote to memory of 1056	1652	NeverLose Crack by Lick0_.exe	30
PID 1652 wrote to memory of 1056	1652	NeverLose Crack by Lick0_.exe	30
PID 1652 wrote to memory of 1056	1652	NeverLose Crack by Lick0_.exe	30
PID 1652 wrote to memory of 3052	1652	NeverLose Crack by Lick0_.exe	31
PID 1652 wrote to memory of 3052	1652	NeverLose Crack by Lick0_.exe	31
PID 1652 wrote to memory of 3052	1652	NeverLose Crack by Lick0_.exe	31
PID 1652 wrote to memory of 3052	1652	NeverLose Crack by Lick0_.exe	31
PID 1652 wrote to memory of 2060	1652	NeverLose Crack by Lick0_.exe	32
PID 1652 wrote to memory of 2060	1652	NeverLose Crack by Lick0_.exe	32
PID 1652 wrote to memory of 2060	1652	NeverLose Crack by Lick0_.exe	32
PID 1652 wrote to memory of 2060	1652	NeverLose Crack by Lick0_.exe	32
PID 2060 wrote to memory of 3000	2060	cmd.exe	34
PID 2060 wrote to memory of 3000	2060	cmd.exe	34
PID 2060 wrote to memory of 3000	2060	cmd.exe	34
PID 2060 wrote to memory of 3000	2060	cmd.exe	34
PID 3000 wrote to memory of 2684	3000	cmd.exe	35
PID 3000 wrote to memory of 2684	3000	cmd.exe	35
PID 3000 wrote to memory of 2684	3000	cmd.exe	35
PID 3000 wrote to memory of 2684	3000	cmd.exe	35
PID 1056 wrote to memory of 2108	1056	WScript.exe	36
PID 1056 wrote to memory of 2108	1056	WScript.exe	36
PID 1056 wrote to memory of 2108	1056	WScript.exe	36
PID 1056 wrote to memory of 2108	1056	WScript.exe	36
PID 2108 wrote to memory of 2932	2108	cmd.exe	38
PID 2108 wrote to memory of 2932	2108	cmd.exe	38
PID 2108 wrote to memory of 2932	2108	cmd.exe	38
PID 2108 wrote to memory of 2932	2108	cmd.exe	38
PID 2932 wrote to memory of 1572	2932	ComSurrogateDriver.exe	76
PID 2932 wrote to memory of 1572	2932	ComSurrogateDriver.exe	76
PID 2932 wrote to memory of 1572	2932	ComSurrogateDriver.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NeverLose Crack by Lick0_.exe
"C:\Users\Admin\AppData\Local\Temp\NeverLose Crack by Lick0_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\sIICU.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\serversvc\298xPTUK2eRUsguC.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\serversvc\ComSurrogateDriver.exe
      "C:\serversvc\ComSurrogateDriver.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Program Files\Java\jdk1.7.0_80\include\services.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\serversvc\6fZxXCAdox3DydUlVNG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "taskkill steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill steam.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriverC" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ComSurrogateDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriver" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ComSurrogateDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriverC" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ComSurrogateDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\serversvc\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\serversvc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\serversvc\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Chess\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Chess\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\serversvc\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\serversvc\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\serversvc\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\serversvc\298xPTUK2eRUsguC.bat

Filesize
37B

MD5
a70ef85524a8291a64f86473a3613666

SHA1
9e2180e5f09e71abd13437f8e63a74185ed20499

SHA256
ccfa63116a2ee95a473c3ca843c343bdd87cfdeae691f7e12a0938a1fc09f042

SHA512
b07dea6d2cb1acc057dddacf1e573d9f585ae72750ffd828e2b381f63896976f2803ea641a6ef63fe24c7e8279eb345fe03699a88a646796082899f6fa928d70

Download Submit
C:\serversvc\6fZxXCAdox3DydUlVNG.bat

Filesize
31B

MD5
f1eb57101ab533a9731d52e4debfad4d

SHA1
b80cc75fb2cf7753b6f7c5eaa6b3dc2eaf0148b5

SHA256
bea282aa18f6fcd9bfc765cb251970ff97d8e41b816b37c2b987c2c98f28faf4

SHA512
bb5658658e6dfad7b7a0b94db207e516301c37f44c8fd5d2578bda49147e15fe5e147cb10733a37fb5e7f4c1cad9cfd9faadae97665e26f19c29b36be68efe1d

Download Submit
C:\serversvc\file.vbs

Filesize
68B

MD5
e4b3857b04ed328ff4d2dd8b3b2382b5

SHA1
f30ee596d1210f776c8090425c95489a460befe1

SHA256
b198539bee398529b541f7b3f4f1d6d5f93103ca222f86e6c89941404a8fb780

SHA512
c2337323196722f645150eecaeb37ccf982632bf92863f9f24d6360d6315845883eacef0aeb30daa361a6379ec915bfc4526e7a6516176900450110da3a4895a

Download Submit
C:\serversvc\sIICU.vbe

Filesize
202B

MD5
6046e28a669b5a57f93afa3094762ecd

SHA1
56e4ee7ce81fbf9a89fa0416623fca553714bbfa

SHA256
7a2ac0e099cf62742abcd928cdb904851546ceebab077a9f5004e735d53a27a9

SHA512
55d0a0c691dd0d09c19b78cd4b966b33aaefdb382e8f9c40375e95774cd36edc65bc810585a68276739c2ba100e2123c704bbb794ef0c5a9b61ffaff573f5ffb

Download Submit
\serversvc\ComSurrogateDriver.exe

Filesize
2.5MB

MD5
8514467d2a5a3ae542fe6eecb6348d37

SHA1
81c9ba0dc68733af3bee7fae15a8eaca611d7fda

SHA256
b09d9c56ffffde85a3bb698240009cb131081b5333b6cfc3259e2b4279b7d61e

SHA512
ad91fc9289b3f598e3d68b797352deca4cb127f4c067d8154664d59037ba95a04928c7d18b22829a0b882ed50f3be5d43b51ca481a646e106db2ee847f0f0b63

Download Submit
memory/1572-65-0x0000000001370000-0x00000000015EE000-memory.dmp

Filesize
2.5MB

Download
memory/2932-34-0x0000000000110000-0x000000000038E000-memory.dmp

Filesize
2.5MB

Download