dcrat | d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeverLoseCrackbyLick0_.exe
Size

2.8MB
MD5

3687f8b8c673eb5541ed071b708dc5a5
SHA1

e019bc82b0fd67875615673c0ac07013962077af
SHA256

d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0
SHA512

510c3298b7dfaa02657dcec9ab63ef3eac6d15a9b946daff7d07ab840ef8331531a90b1873fe37f9c694c6d5ff88216c5d4e81b9b7db08eb51fd8da1aae7931f
SSDEEP

49152:MbA3Q4etyON8AHfj+roH3t1Um1K7gAV2Oinx8WL8+oGidW6:MbXnyBroXts7NyxlZD6

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2096	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2096	schtasks.exe	39

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000173a9-30.dat	dcrat
behavioral1/memory/3024-34-0x0000000001360000-0x00000000015DE000-memory.dmp	dcrat
behavioral1/memory/2560-72-0x00000000000B0000-0x000000000032E000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
3024	ComSurrogateDriver.exe
2560	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	cmd.exe
2020	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\817c8c8ec737a7	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Defender\ja-JP\wscript.exe	ComSurrogateDriver.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\6ccacd8608530f	ComSurrogateDriver.exe
File created	C:\Windows\Setup\State\conhost.exe	ComSurrogateDriver.exe
File created	C:\Windows\Setup\State\088424020bedd6	ComSurrogateDriver.exe
File created	C:\Windows\Offline Web Pages\Idle.exe	ComSurrogateDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeverLoseCrackbyLick0_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2552	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe
592	schtasks.exe
2084	schtasks.exe
1044	schtasks.exe
1580	schtasks.exe
596	schtasks.exe
2184	schtasks.exe
2444	schtasks.exe
2512	schtasks.exe
3028	schtasks.exe
688	schtasks.exe
2236	schtasks.exe
1700	schtasks.exe
1592	schtasks.exe
1076	schtasks.exe
1604	schtasks.exe
2528	schtasks.exe
2280	schtasks.exe
1304	schtasks.exe
1680	schtasks.exe
1508	schtasks.exe
956	schtasks.exe
760	schtasks.exe
2064	schtasks.exe
1224	schtasks.exe
236	schtasks.exe
2700	schtasks.exe
2248	schtasks.exe
2164	schtasks.exe
1656	schtasks.exe
2408	schtasks.exe
892	schtasks.exe
3032	schtasks.exe
1584	schtasks.exe
2044	schtasks.exe
2536	schtasks.exe
2772	schtasks.exe
2888	schtasks.exe
2880	schtasks.exe
2036	schtasks.exe
1536	schtasks.exe
2984	schtasks.exe
1956	schtasks.exe
2820	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3024	ComSurrogateDriver.exe
3024	ComSurrogateDriver.exe
3024	ComSurrogateDriver.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe
2560	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	ComSurrogateDriver.exe
Token: SeDebugPrivilege	2560	lsm.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2824	2228	NeverLoseCrackbyLick0_.exe	30
PID 2228 wrote to memory of 2824	2228	NeverLoseCrackbyLick0_.exe	30
PID 2228 wrote to memory of 2824	2228	NeverLoseCrackbyLick0_.exe	30
PID 2228 wrote to memory of 2824	2228	NeverLoseCrackbyLick0_.exe	30
PID 2228 wrote to memory of 2656	2228	NeverLoseCrackbyLick0_.exe	31
PID 2228 wrote to memory of 2656	2228	NeverLoseCrackbyLick0_.exe	31
PID 2228 wrote to memory of 2656	2228	NeverLoseCrackbyLick0_.exe	31
PID 2228 wrote to memory of 2656	2228	NeverLoseCrackbyLick0_.exe	31
PID 2228 wrote to memory of 2916	2228	NeverLoseCrackbyLick0_.exe	32
PID 2228 wrote to memory of 2916	2228	NeverLoseCrackbyLick0_.exe	32
PID 2228 wrote to memory of 2916	2228	NeverLoseCrackbyLick0_.exe	32
PID 2228 wrote to memory of 2916	2228	NeverLoseCrackbyLick0_.exe	32
PID 2916 wrote to memory of 2748	2916	cmd.exe	34
PID 2916 wrote to memory of 2748	2916	cmd.exe	34
PID 2916 wrote to memory of 2748	2916	cmd.exe	34
PID 2916 wrote to memory of 2748	2916	cmd.exe	34
PID 2748 wrote to memory of 2552	2748	cmd.exe	35
PID 2748 wrote to memory of 2552	2748	cmd.exe	35
PID 2748 wrote to memory of 2552	2748	cmd.exe	35
PID 2748 wrote to memory of 2552	2748	cmd.exe	35
PID 2824 wrote to memory of 2020	2824	WScript.exe	36
PID 2824 wrote to memory of 2020	2824	WScript.exe	36
PID 2824 wrote to memory of 2020	2824	WScript.exe	36
PID 2824 wrote to memory of 2020	2824	WScript.exe	36
PID 2020 wrote to memory of 3024	2020	cmd.exe	38
PID 2020 wrote to memory of 3024	2020	cmd.exe	38
PID 2020 wrote to memory of 3024	2020	cmd.exe	38
PID 2020 wrote to memory of 3024	2020	cmd.exe	38
PID 3024 wrote to memory of 2584	3024	ComSurrogateDriver.exe	85
PID 3024 wrote to memory of 2584	3024	ComSurrogateDriver.exe	85
PID 3024 wrote to memory of 2584	3024	ComSurrogateDriver.exe	85
PID 2584 wrote to memory of 2212	2584	cmd.exe	87
PID 2584 wrote to memory of 2212	2584	cmd.exe	87
PID 2584 wrote to memory of 2212	2584	cmd.exe	87
PID 2584 wrote to memory of 2560	2584	cmd.exe	88
PID 2584 wrote to memory of 2560	2584	cmd.exe	88
PID 2584 wrote to memory of 2560	2584	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NeverLoseCrackbyLick0_.exe
"C:\Users\Admin\AppData\Local\Temp\NeverLoseCrackbyLick0_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\sIICU.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\serversvc\298xPTUK2eRUsguC.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\serversvc\ComSurrogateDriver.exe
      "C:\serversvc\ComSurrogateDriver.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XYYynrSlR5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2212
      - C:\Users\Default\Videos\lsm.exe
        
        "C:\Users\Default\Videos\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\serversvc\6fZxXCAdox3DydUlVNG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "taskkill steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill steam.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\serversvc\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\serversvc\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\serversvc\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Public\Pictures\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XYYynrSlR5.bat

Filesize
196B

MD5
815e138bab8c06347f119447bf939cbb

SHA1
8456abdd7d73fd202d877e5fa33acc5f7d079bd8

SHA256
4be5e50601b867735109ce26fe58f2e5ab9cbe5769ca80bbfb5d192b5a006c8b

SHA512
4b698e8ec3cb4c09713c10f1a2b96038946bc32b4e27a213dff47a8a87d7551992e9a03188e4b4fc7abd589e4045e089a281e69652743ed9ea098876c73f72eb

Download Submit
C:\serversvc\298xPTUK2eRUsguC.bat

Filesize
37B

MD5
a70ef85524a8291a64f86473a3613666

SHA1
9e2180e5f09e71abd13437f8e63a74185ed20499

SHA256
ccfa63116a2ee95a473c3ca843c343bdd87cfdeae691f7e12a0938a1fc09f042

SHA512
b07dea6d2cb1acc057dddacf1e573d9f585ae72750ffd828e2b381f63896976f2803ea641a6ef63fe24c7e8279eb345fe03699a88a646796082899f6fa928d70

Download Submit
C:\serversvc\6fZxXCAdox3DydUlVNG.bat

Filesize
31B

MD5
f1eb57101ab533a9731d52e4debfad4d

SHA1
b80cc75fb2cf7753b6f7c5eaa6b3dc2eaf0148b5

SHA256
bea282aa18f6fcd9bfc765cb251970ff97d8e41b816b37c2b987c2c98f28faf4

SHA512
bb5658658e6dfad7b7a0b94db207e516301c37f44c8fd5d2578bda49147e15fe5e147cb10733a37fb5e7f4c1cad9cfd9faadae97665e26f19c29b36be68efe1d

Download Submit
C:\serversvc\file.vbs

Filesize
68B

MD5
e4b3857b04ed328ff4d2dd8b3b2382b5

SHA1
f30ee596d1210f776c8090425c95489a460befe1

SHA256
b198539bee398529b541f7b3f4f1d6d5f93103ca222f86e6c89941404a8fb780

SHA512
c2337323196722f645150eecaeb37ccf982632bf92863f9f24d6360d6315845883eacef0aeb30daa361a6379ec915bfc4526e7a6516176900450110da3a4895a

Download Submit
C:\serversvc\sIICU.vbe

Filesize
202B

MD5
6046e28a669b5a57f93afa3094762ecd

SHA1
56e4ee7ce81fbf9a89fa0416623fca553714bbfa

SHA256
7a2ac0e099cf62742abcd928cdb904851546ceebab077a9f5004e735d53a27a9

SHA512
55d0a0c691dd0d09c19b78cd4b966b33aaefdb382e8f9c40375e95774cd36edc65bc810585a68276739c2ba100e2123c704bbb794ef0c5a9b61ffaff573f5ffb

Download Submit
\serversvc\ComSurrogateDriver.exe

Filesize
2.5MB

MD5
8514467d2a5a3ae542fe6eecb6348d37

SHA1
81c9ba0dc68733af3bee7fae15a8eaca611d7fda

SHA256
b09d9c56ffffde85a3bb698240009cb131081b5333b6cfc3259e2b4279b7d61e

SHA512
ad91fc9289b3f598e3d68b797352deca4cb127f4c067d8154664d59037ba95a04928c7d18b22829a0b882ed50f3be5d43b51ca481a646e106db2ee847f0f0b63

Download Submit
memory/2560-72-0x00000000000B0000-0x000000000032E000-memory.dmp

Filesize
2.5MB

Download
memory/3024-34-0x0000000001360000-0x00000000015DE000-memory.dmp

Filesize
2.5MB

Download