dcrat | ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810

Analysis

max time kernel
139s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
Size

885KB
MD5

eae6d4d5eae0cf85ff69eb89946e4185
SHA1

9107578b01297b583bf797575bea0d745d024260
SHA256

ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810
SHA512

14fbb35dc316eef0d11204280b8e152d54905f72e43f2f98d92cfca559f3d09dd7d849ea01ce1c57ab94d356b26d6146e6714a51d1f72af9d4d94fc0adba533f
SSDEEP

24576:9WUovLOqIJk8IjNJ/+z4F3osuiKoqsyol54bWYUK:9LoDP8IxF3osxKoqUK

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2412	schtasks.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2412	schtasks.exe	41

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0036000000016ca5-12.dat	dcrat
behavioral1/files/0x0008000000016d1f-36.dat	dcrat
behavioral1/memory/2948-37-0x0000000000010000-0x00000000000E6000-memory.dmp	dcrat
behavioral1/memory/2212-68-0x00000000002F0000-0x00000000003C6000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

Bootstrapper.exekendalcp.exereviewDll.execsrss.exe

pid	Process
2904	Bootstrapper.exe
2132	kendalcp.exe
1208
2948	reviewDll.exe
2212	csrss.exe

Loads dropped DLL 9 IoCs

Processes:

ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exeWerFault.execmd.exe

pid	Process
2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
768
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2968	cmd.exe
2968	cmd.exe

Drops file in Program Files directory 11 IoCs

Processes:

reviewDll.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\VC\spoolsv.exe	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\b8014f78f41eb1	reviewDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e	reviewDll.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\taskhost.exe	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\Bootstrapper.exe	reviewDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	reviewDll.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\b75386f1303e64	reviewDll.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\f3b6ecef712a24	reviewDll.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\winlogon.exe	reviewDll.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\winlogon.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\cc11b995f2a76d	reviewDll.exe

Drops file in Windows directory 1 IoCs

Processes:

reviewDll.exe

description	ioc	Process
File created	C:\Windows\rescache\rc0006\System.exe	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kendalcp.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
2332	ipconfig.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2576	schtasks.exe
2076	schtasks.exe
1284	schtasks.exe
872	schtasks.exe
2580	schtasks.exe
1752	schtasks.exe
1684	schtasks.exe
348	schtasks.exe
2268	schtasks.exe
1052	schtasks.exe
1728	schtasks.exe
2868	schtasks.exe
2340	schtasks.exe
2168	schtasks.exe
1352	schtasks.exe
1316	schtasks.exe
1628	schtasks.exe
1264	schtasks.exe
3044	schtasks.exe
1664	schtasks.exe
2436	schtasks.exe
1596	schtasks.exe
536	schtasks.exe
2352	schtasks.exe
2040	schtasks.exe
1740	schtasks.exe
1864	schtasks.exe
2924	schtasks.exe
1832	schtasks.exe
560	schtasks.exe
1508	schtasks.exe
556	schtasks.exe
1724	schtasks.exe
2684	schtasks.exe
1540	schtasks.exe
1240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

reviewDll.execsrss.exe

pid	Process
2948	reviewDll.exe
2948	reviewDll.exe
2948	reviewDll.exe
2948	reviewDll.exe
2948	reviewDll.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe
2212	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
2212	csrss.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exeBootstrapper.exereviewDll.execsrss.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2236	WMIC.exe
Token: SeSecurityPrivilege	2236	WMIC.exe
Token: SeTakeOwnershipPrivilege	2236	WMIC.exe
Token: SeLoadDriverPrivilege	2236	WMIC.exe
Token: SeSystemProfilePrivilege	2236	WMIC.exe
Token: SeSystemtimePrivilege	2236	WMIC.exe
Token: SeProfSingleProcessPrivilege	2236	WMIC.exe
Token: SeIncBasePriorityPrivilege	2236	WMIC.exe
Token: SeCreatePagefilePrivilege	2236	WMIC.exe
Token: SeBackupPrivilege	2236	WMIC.exe
Token: SeRestorePrivilege	2236	WMIC.exe
Token: SeShutdownPrivilege	2236	WMIC.exe
Token: SeDebugPrivilege	2236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2236	WMIC.exe
Token: SeRemoteShutdownPrivilege	2236	WMIC.exe
Token: SeUndockPrivilege	2236	WMIC.exe
Token: SeManageVolumePrivilege	2236	WMIC.exe
Token: 33	2236	WMIC.exe
Token: 34	2236	WMIC.exe
Token: 35	2236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2236	WMIC.exe
Token: SeSecurityPrivilege	2236	WMIC.exe
Token: SeTakeOwnershipPrivilege	2236	WMIC.exe
Token: SeLoadDriverPrivilege	2236	WMIC.exe
Token: SeSystemProfilePrivilege	2236	WMIC.exe
Token: SeSystemtimePrivilege	2236	WMIC.exe
Token: SeProfSingleProcessPrivilege	2236	WMIC.exe
Token: SeIncBasePriorityPrivilege	2236	WMIC.exe
Token: SeCreatePagefilePrivilege	2236	WMIC.exe
Token: SeBackupPrivilege	2236	WMIC.exe
Token: SeRestorePrivilege	2236	WMIC.exe
Token: SeShutdownPrivilege	2236	WMIC.exe
Token: SeDebugPrivilege	2236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2236	WMIC.exe
Token: SeRemoteShutdownPrivilege	2236	WMIC.exe
Token: SeUndockPrivilege	2236	WMIC.exe
Token: SeManageVolumePrivilege	2236	WMIC.exe
Token: 33	2236	WMIC.exe
Token: 34	2236	WMIC.exe
Token: 35	2236	WMIC.exe
Token: SeDebugPrivilege	2904	Bootstrapper.exe
Token: SeDebugPrivilege	2948	reviewDll.exe
Token: SeDebugPrivilege	2212	csrss.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exekendalcp.exeBootstrapper.execmd.execmd.exeWScript.execmd.exereviewDll.exe

description	pid	Process	procid_target
PID 2856 wrote to memory of 2904	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	31
PID 2856 wrote to memory of 2904	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	31
PID 2856 wrote to memory of 2904	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	31
PID 2856 wrote to memory of 2132	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	33
PID 2856 wrote to memory of 2132	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	33
PID 2856 wrote to memory of 2132	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	33
PID 2856 wrote to memory of 2132	2856	ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe	33
PID 2132 wrote to memory of 2668	2132	kendalcp.exe	34
PID 2132 wrote to memory of 2668	2132	kendalcp.exe	34
PID 2132 wrote to memory of 2668	2132	kendalcp.exe	34
PID 2132 wrote to memory of 2668	2132	kendalcp.exe	34
PID 2904 wrote to memory of 2432	2904	Bootstrapper.exe	35
PID 2904 wrote to memory of 2432	2904	Bootstrapper.exe	35
PID 2904 wrote to memory of 2432	2904	Bootstrapper.exe	35
PID 2432 wrote to memory of 2332	2432	cmd.exe	37
PID 2432 wrote to memory of 2332	2432	cmd.exe	37
PID 2432 wrote to memory of 2332	2432	cmd.exe	37
PID 2904 wrote to memory of 1292	2904	Bootstrapper.exe	38
PID 2904 wrote to memory of 1292	2904	Bootstrapper.exe	38
PID 2904 wrote to memory of 1292	2904	Bootstrapper.exe	38
PID 1292 wrote to memory of 2236	1292	cmd.exe	40
PID 1292 wrote to memory of 2236	1292	cmd.exe	40
PID 1292 wrote to memory of 2236	1292	cmd.exe	40
PID 2904 wrote to memory of 2996	2904	Bootstrapper.exe	42
PID 2904 wrote to memory of 2996	2904	Bootstrapper.exe	42
PID 2904 wrote to memory of 2996	2904	Bootstrapper.exe	42
PID 2668 wrote to memory of 2968	2668	WScript.exe	43
PID 2668 wrote to memory of 2968	2668	WScript.exe	43
PID 2668 wrote to memory of 2968	2668	WScript.exe	43
PID 2668 wrote to memory of 2968	2668	WScript.exe	43
PID 2968 wrote to memory of 2948	2968	cmd.exe	45
PID 2968 wrote to memory of 2948	2968	cmd.exe	45
PID 2968 wrote to memory of 2948	2968	cmd.exe	45
PID 2968 wrote to memory of 2948	2968	cmd.exe	45
PID 2948 wrote to memory of 2212	2948	reviewDll.exe	82
PID 2948 wrote to memory of 2212	2948	reviewDll.exe	82
PID 2948 wrote to memory of 2212	2948	reviewDll.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe
"C:\Users\Admin\AppData\Local\Temp\ea10faa651fc412d0ec1b6417d4ab1949f5ace92373d87dd789d8b0556ffb810.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2332
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2904 -s 1032
    3⤵
    - Loads dropped DLL
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\Bootstrapper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bootstrapper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\VC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
memory/2212-68-0x00000000002F0000-0x00000000003C6000-memory.dmp

Filesize
856KB

Download
memory/2856-15-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-1-0x00000000012D0000-0x00000000013B4000-memory.dmp

Filesize
912KB

Download
memory/2856-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

Filesize
4KB

Download
memory/2904-14-0x00000000000A0000-0x000000000016E000-memory.dmp

Filesize
824KB

Download
memory/2904-23-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-69-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-37-0x0000000000010000-0x00000000000E6000-memory.dmp

Filesize
856KB

Download