dcrat | 9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd

Analysis

max time kernel
55s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe
Size

1.2MB
MD5

d1dac6e0cf79a43434f1ac4c84b9ef4d
SHA1

35a0db7e5548b32fa4a44eb897beb9fbbdcc7962
SHA256

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd
SHA512

43c1df1b5ea8d477977577e5a2a683e0c6621db649709a1447c783540e2e019053d288898fc255c2c27dedc20df595176a3b5a70c58a6a994f9b83192cc8989f
SSDEEP

24576:9sayvYwy9cCAiDSeqgpkcqK0QrmU9cPVbGI61T7Kamt:WayQfSeXqK5Z9gsI6dud

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1128	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1128	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2864-25-0x0000000000400000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/files/0x0014000000016fc9-26.dat	dcrat
behavioral1/memory/2184-29-0x0000000001010000-0x00000000010CA000-memory.dmp	dcrat
behavioral1/memory/1568-70-0x0000000000CC0000-0x0000000000D7A000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

Ot35uD139H.exebEg0mjCdwt.execsrss.exe

pid	Process
2284	Ot35uD139H.exe
2184	bEg0mjCdwt.exe
1568	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe

pid	Process
2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe
2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe

description	pid	Process	procid_target
PID 2904 set thread context of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30

Drops file in Program Files directory 8 IoCs

Processes:

bEg0mjCdwt.exe

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\0a1fd5f707cd16	bEg0mjCdwt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	bEg0mjCdwt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240	bEg0mjCdwt.exe
File created	C:\Program Files\Windows Defender\services.exe	bEg0mjCdwt.exe
File created	C:\Program Files\Windows Defender\c5b4cb5e9653cc	bEg0mjCdwt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	bEg0mjCdwt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e	bEg0mjCdwt.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sppsvc.exe	bEg0mjCdwt.exe

Drops file in Windows directory 2 IoCs

Processes:

bEg0mjCdwt.exe

description	ioc	Process
File created	C:\Windows\ShellNew\winlogon.exe	bEg0mjCdwt.exe
File created	C:\Windows\ShellNew\cc11b995f2a76d	bEg0mjCdwt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2868	2904	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
700	schtasks.exe
2500	schtasks.exe
904	schtasks.exe
2540	schtasks.exe
1644	schtasks.exe
1012	schtasks.exe
2008	schtasks.exe
2592	schtasks.exe
2396	schtasks.exe
2596	schtasks.exe
268	schtasks.exe
1300	schtasks.exe
552	schtasks.exe
2464	schtasks.exe
1148	schtasks.exe
1848	schtasks.exe
2924	schtasks.exe
1692	schtasks.exe
1792	schtasks.exe
1660	schtasks.exe
2312	schtasks.exe
2212	schtasks.exe
1824	schtasks.exe
2612	schtasks.exe
2800	schtasks.exe
2228	schtasks.exe
2104	schtasks.exe
900	schtasks.exe
1336	schtasks.exe
2672	schtasks.exe
3048	schtasks.exe
3052	schtasks.exe
1788	schtasks.exe
2232	schtasks.exe
1732	schtasks.exe
1596	schtasks.exe
956	schtasks.exe
872	schtasks.exe
2816	schtasks.exe
2916	schtasks.exe
1084	schtasks.exe
1036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bEg0mjCdwt.execsrss.exe

pid	Process
2184	bEg0mjCdwt.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe
1568	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bEg0mjCdwt.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2184	bEg0mjCdwt.exe
Token: SeDebugPrivilege	1568	csrss.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exebEg0mjCdwt.execmd.exe

description	pid	Process	procid_target
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2864	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	30
PID 2904 wrote to memory of 2868	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	31
PID 2904 wrote to memory of 2868	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	31
PID 2904 wrote to memory of 2868	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	31
PID 2904 wrote to memory of 2868	2904	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	31
PID 2864 wrote to memory of 2184	2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	33
PID 2864 wrote to memory of 2184	2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	33
PID 2864 wrote to memory of 2184	2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	33
PID 2864 wrote to memory of 2184	2864	9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe	33
PID 2184 wrote to memory of 692	2184	bEg0mjCdwt.exe	77
PID 2184 wrote to memory of 692	2184	bEg0mjCdwt.exe	77
PID 2184 wrote to memory of 692	2184	bEg0mjCdwt.exe	77
PID 692 wrote to memory of 864	692	cmd.exe	79
PID 692 wrote to memory of 864	692	cmd.exe	79
PID 692 wrote to memory of 864	692	cmd.exe	79
PID 692 wrote to memory of 1568	692	cmd.exe	80
PID 692 wrote to memory of 1568	692	cmd.exe	80
PID 692 wrote to memory of 1568	692	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe
"C:\Users\Admin\AppData\Local\Temp\9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe
  "C:\Users\Admin\AppData\Local\Temp\9b0117b8c8455a1eaadc91283f7910ee263e2398893b1c288c64d8a500c388dd.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Roaming\Ot35uD139H.exe
    "C:\Users\Admin\AppData\Roaming\Ot35uD139H.exe"
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\AppData\Roaming\bEg0mjCdwt.exe
    "C:\Users\Admin\AppData\Roaming\bEg0mjCdwt.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zewrKVspW3.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:864
    - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 68
  2⤵
  - Program crash
  PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zewrKVspW3.bat

Filesize
237B

MD5
eea3471c8ffaf7b0bebbb1c847b8f3b1

SHA1
e493e09a9ed52fc0cd21642e19dab2603913b345

SHA256
7953bf7f02a4a2cbe956ff61887b3037719b87a859b730ed4d330a7c39c08ea6

SHA512
9997e6b25371226d4e9d2bf670e57b73c5d4405fb15ddc91130720baf5bb3854345edc1de793973e5ee8ff2bee42fda0626b85b7d419cd7e1596af280a73ebdd

Download Submit
C:\Users\Admin\AppData\Roaming\Ot35uD139H.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\bEg0mjCdwt.exe

Filesize
716KB

MD5
2ea728129d813b8a99509cc009968d2e

SHA1
4705bf7c666dceb4db384cb487d796557583d107

SHA256
384773df6081637cd1d36872cace14b1df5e5d59cb9bed47512b0618185ca8fd

SHA512
9a67df09a331602e6a9176bbc6277cf7908085e768b9da2e13f6ba99934020d46823073d8e19b6cb2dd19ee0c75407a67c5095fb33068679a7ab5d760764db39

Download Submit
memory/1568-70-0x0000000000CC0000-0x0000000000D7A000-memory.dmp

Filesize
744KB

Download
memory/2184-31-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2184-28-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2184-67-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-33-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2184-32-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2184-30-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-29-0x0000000001010000-0x00000000010CA000-memory.dmp

Filesize
744KB

Download
memory/2864-11-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-1-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-25-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-12-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-10-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-5-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-4-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-13-0x0000000000BC0000-0x0000000000CEB000-memory.dmp

Filesize
1.2MB

Download
memory/2864-3-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2864-2-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2904-0-0x0000000000CE3000-0x0000000000CE5000-memory.dmp

Filesize
8KB

Download