dcrat | 9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

General

Target

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Size

1.8MB
MD5

8fe4d765052f33ee206babd50ecebff4
SHA1

626ed36cc72ed374334c868a5d2471cd1d70e9ef
SHA256

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
SHA512

5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
SSDEEP

49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\lsass.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\lsass.exe\", \"C:\\Users\\All Users\\explorer.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\lsass.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1564	schtasks.exe

Executes dropped EXE 2 IoCs

Processes:

MsRefHost.exeexplorer.exe

pid process

2820 MsRefHost.exe
1604 explorer.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2696 cmd.exe
2696 cmd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2696	cmd.exe
2696	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\explorer.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\lsass.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\explorer.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\lsass.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Drops file in System32 directory 3 IoCs

Processes:

MsRefHost.execsc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\explorer.exe	MsRefHost.exe
File created	\??\c:\Windows\System32\CSC6B32C3BEFD7A49B4B567F8DF6D9680.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

MsRefHost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsass.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\6203df4a6bafc7	MsRefHost.exe
File created	C:\Program Files\Microsoft Office\Office14\csrss.exe	MsRefHost.exe
File created	C:\Program Files\Microsoft Office\Office14\886983d96e3d3e	MsRefHost.exe

Drops file in Windows directory 2 IoCs

Processes:

MsRefHost.exe

description	ioc	process
File created	C:\Windows\RemotePackages\RemoteDesktops\WmiPrvSE.exe	MsRefHost.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\24dbde2999530e	MsRefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1776 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1776 PING.EXE

pid	process
1776	PING.EXE

pid	process
1776	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2160	schtasks.exe
2756	schtasks.exe
584	schtasks.exe
2852	schtasks.exe
1060	schtasks.exe
2156	schtasks.exe
2164	schtasks.exe
1836	schtasks.exe
2960	schtasks.exe
2552	schtasks.exe
1080	schtasks.exe
1616	schtasks.exe
2404	schtasks.exe
2616	schtasks.exe
2488	schtasks.exe
1380	schtasks.exe
2832	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsRefHost.exe

pid	process
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe
2820	MsRefHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1604 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MsRefHost.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2820 MsRefHost.exe
Token: SeDebugPrivilege 1604 explorer.exe

pid	process
1604	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2820	MsRefHost.exe
Token: SeDebugPrivilege	1604	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exeMsRefHost.execsc.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 680	2528	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	WScript.exe
PID 2528 wrote to memory of 680	2528	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	WScript.exe
PID 2528 wrote to memory of 680	2528	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	WScript.exe
PID 2528 wrote to memory of 680	2528	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	WScript.exe
PID 680 wrote to memory of 2696	680	WScript.exe	cmd.exe
PID 680 wrote to memory of 2696	680	WScript.exe	cmd.exe
PID 680 wrote to memory of 2696	680	WScript.exe	cmd.exe
PID 680 wrote to memory of 2696	680	WScript.exe	cmd.exe
PID 2696 wrote to memory of 2820	2696	cmd.exe	MsRefHost.exe
PID 2696 wrote to memory of 2820	2696	cmd.exe	MsRefHost.exe
PID 2696 wrote to memory of 2820	2696	cmd.exe	MsRefHost.exe
PID 2696 wrote to memory of 2820	2696	cmd.exe	MsRefHost.exe
PID 2820 wrote to memory of 1964	2820	MsRefHost.exe	csc.exe
PID 2820 wrote to memory of 1964	2820	MsRefHost.exe	csc.exe
PID 2820 wrote to memory of 1964	2820	MsRefHost.exe	csc.exe
PID 1964 wrote to memory of 1852	1964	csc.exe	cvtres.exe
PID 1964 wrote to memory of 1852	1964	csc.exe	cvtres.exe
PID 1964 wrote to memory of 1852	1964	csc.exe	cvtres.exe
PID 2820 wrote to memory of 2968	2820	MsRefHost.exe	cmd.exe
PID 2820 wrote to memory of 2968	2820	MsRefHost.exe	cmd.exe
PID 2820 wrote to memory of 2968	2820	MsRefHost.exe	cmd.exe
PID 2968 wrote to memory of 344	2968	cmd.exe	chcp.com
PID 2968 wrote to memory of 344	2968	cmd.exe	chcp.com
PID 2968 wrote to memory of 344	2968	cmd.exe	chcp.com
PID 2968 wrote to memory of 1776	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 1776	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 1776	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 1604	2968	cmd.exe	explorer.exe
PID 2968 wrote to memory of 1604	2968	cmd.exe	explorer.exe
PID 2968 wrote to memory of 1604	2968	cmd.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
"C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
      "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qw40fjsj\qw40fjsj.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE08F.tmp" "c:\Windows\System32\CSC6B32C3BEFD7A49B4B567F8DF6D9680.TMP"
        6⤵
        
        PID:1852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HB9CFzapC9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:344
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1776
      - C:\Users\All Users\explorer.exe
        
        "C:\Users\All Users\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HB9CFzapC9.bat

Filesize
159B

MD5
45a90df55c12d40f73e8766d7d77b384

SHA1
611c87996f1bef1c6e66950cedde9ffe176ef9f2

SHA256
a3aa8eb35e65ae73c26bfd2883b23f8db7178e4bc1a1e2c8658676b3584b0dd3

SHA512
b9708e6a2cf6eb88e8aef0923fd4cc60a992988b6897951ce2571e521392e57c901ebc559ce677dc545b36ded6b943895dff13733f8600ed62edb7f49aeaadb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE08F.tmp

Filesize
1KB

MD5
90b7634f86c92a97f54421e4d15ebebf

SHA1
4c29c6e0c2909f239ba17ccc24ad320046ece661

SHA256
d71d0a87664e15aadf5f51393be77ad670df70830521ddc38082846c29c34a37

SHA512
5c16b9b2d7740b743e505c6fab67a650ee7350f3d54db68ed5a9669b91e97a6fb8a0f5561de7ae61f98e39b58eb2597f533d8b81f15c5a8b07b37214c126108b

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe

Filesize
247B

MD5
299cb1e8030c59ea61c25d77663d93ce

SHA1
47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

SHA256
c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

SHA512
121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat

Filesize
111B

MD5
7570b030d6165dbe5710aea256bc5fb0

SHA1
f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

SHA256
5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

SHA512
64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qw40fjsj\qw40fjsj.0.cs

Filesize
384B

MD5
f772611629a346adb25643c92ba60d57

SHA1
dd4a277b7d57c302eaafb8b86ea506a49d583a85

SHA256
ead43a2bd4a1e5f2a86314cf1ec276154d7ded8b2d0037ec10e1c62faec6b82e

SHA512
1cf85ae11827dc3a43cce45abb3b355f5dbf4049cac5b9865bcfb71947a4873fb3ba0306568ce6fbdbc55eb0fd455cfb975f6d0e232832bbfe32606bdd93b1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qw40fjsj\qw40fjsj.cmdline

Filesize
235B

MD5
a1a476501273e2076eb0aeaf69584738

SHA1
4a55322de4c9a24214535de4b719b8bc66bfb2a7

SHA256
512cae9dd9718bf2914776badf099b66bb611c6da05f3834d496a2fe03efc560

SHA512
058391eb2f708cec80dc475693e6888f2b6c2b37457467d52cfefeccfce9f9ddeb4a147708e3798575f8348bce158e6c80040c4aac61ea59a7e1ad15a26b3e79

Download Submit
\??\c:\Windows\System32\CSC6B32C3BEFD7A49B4B567F8DF6D9680.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe

Filesize
1.9MB

MD5
8f4b5051db276e30641cd63fac01a982

SHA1
2da38a070be557014c57d314211f6236470aca37

SHA256
5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

SHA512
db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

Download Submit
memory/1604-56-0x0000000001360000-0x0000000001554000-memory.dmp

Filesize
2.0MB

Download
memory/2820-15-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/2820-25-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2820-23-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2820-21-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2820-19-0x0000000000AF0000-0x0000000000B08000-memory.dmp

Filesize
96KB

Download
memory/2820-17-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

Filesize
112KB

Download
memory/2820-13-0x0000000000B50000-0x0000000000D44000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads