dcrat | 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Size

426KB
MD5

2d94c0a9c700f4a1552a1e2fe2cd33e2
SHA1

7dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256

352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
SHA512

4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
SSDEEP

12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Searches\\backgroundTaskHost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Searches\\backgroundTaskHost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\fontdrvhost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Searches\\backgroundTaskHost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	740	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	740	schtasks.exe	84

DCRat payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1180-2-0x000000001AD60000-0x000000001AE32000-memory.dmp	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Executes dropped EXE 1 IoCs

pid	Process
488	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Searches\\backgroundTaskHost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Searches\\backgroundTaskHost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\fontdrvhost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows NT\\lsass.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows NT\\lsass.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d94c0a9c700f4a1552a1e2fe2cd33e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\fontdrvhost.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d94c0a9c700f4a1552a1e2fe2cd33e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe\""	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC882A03F7D2E94BCB88E12841C2F31668.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5b884080fd4f94	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
File created	C:\Program Files\Windows NT\lsass.exe	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
File created	C:\Program Files\Windows NT\6203df4a6bafc7	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4912	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1460	schtasks.exe
4576	schtasks.exe
4040	schtasks.exe
2772	schtasks.exe
3180	schtasks.exe
2936	schtasks.exe
2892	schtasks.exe
2860	schtasks.exe
2752	schtasks.exe
1892	schtasks.exe
2588	schtasks.exe
2164	schtasks.exe
3596	schtasks.exe
4644	schtasks.exe
3980	schtasks.exe
4556	schtasks.exe
3668	schtasks.exe
1340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
488	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Token: SeDebugPrivilege	488	Idle.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4020	1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe	88
PID 1180 wrote to memory of 4020	1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe	88
PID 4020 wrote to memory of 3300	4020	csc.exe	90
PID 4020 wrote to memory of 3300	4020	csc.exe	90
PID 1180 wrote to memory of 2624	1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe	106
PID 1180 wrote to memory of 2624	1180	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe	106
PID 2624 wrote to memory of 4480	2624	cmd.exe	108
PID 2624 wrote to memory of 4480	2624	cmd.exe	108
PID 2624 wrote to memory of 4912	2624	cmd.exe	109
PID 2624 wrote to memory of 4912	2624	cmd.exe	109
PID 2624 wrote to memory of 488	2624	cmd.exe	117
PID 2624 wrote to memory of 488	2624	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
"C:\Users\Admin\AppData\Local\Temp\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kotn15dh\kotn15dh.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9896.tmp" "c:\Windows\System32\CSC882A03F7D2E94BCB88E12841C2F31668.TMP"
    3⤵
    PID:3300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y1z3ycLVXj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4480
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4912
- - C:\Recovery\WindowsRE\Idle.exe
    "C:\Recovery\WindowsRE\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d94c0a9c700f4a1552a1e2fe2cd33e22" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d94c0a9c700f4a1552a1e2fe2cd33e2" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2d94c0a9c700f4a1552a1e2fe2cd33e22" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\2d94c0a9c700f4a1552a1e2fe2cd33e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\lsass.exe

Filesize
426KB

MD5
2d94c0a9c700f4a1552a1e2fe2cd33e2

SHA1
7dfe6f390ea59bc8d53431cd3a4756c109e201ee

SHA256
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9

SHA512
4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9896.tmp

Filesize
1KB

MD5
ee61fbad81af51c9f6af459dd28590c1

SHA1
20b0cb2ff298f788980ad2654504c909cffc9447

SHA256
2c30b4e6ffefbb0181883cb57848e0f1b99f035ed2bb06d0721e75ae27abcc54

SHA512
31aae1316a41850c5fe20e9ad0591b8ba865112217288d5d2f9513e52e5f7c39890d025d1fb2d88b3e11a2f807e52bab1a26cd4383dc5b44c7a7f13292babfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1z3ycLVXj.bat

Filesize
158B

MD5
8909eafe3d23d504b29be9a769e51748

SHA1
953516eb56877055ab5bfa4310c088b725dd94a9

SHA256
df26fb5a239b6cec2f29c493080465bf2bec6dd8d7b6bbba4f390cea9a355cf4

SHA512
dde32d551e4d980cbd30a1c145c679c0943c3e5aeeb3ac15b6703e36f5e8833e5f2f4b936e90cb78e65e6423104917a1fe1c782b2f90f64a6c3331e507450d55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kotn15dh\kotn15dh.0.cs

Filesize
369B

MD5
34588d15d88890883dd07b53b601b19b

SHA1
2236cd11e0ede32fe6af1f784f36f8837c27d694

SHA256
448d40681cd39617e456131b6574b9d4dede90d5510161f0b15e738dc70da508

SHA512
ed0cf1131877a6cd6fe6caf0f5f26bd7476184b59cd22ef19b9d86a624db13f067e5ae9af482156409f292e57528db0a3a3a7cd30960fed3a846dae6fa2e3b68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kotn15dh\kotn15dh.cmdline

Filesize
235B

MD5
4be26ef32c266fdd2db04d6e3e7f0668

SHA1
5fc8ae71199a4452fc6fdcc1c7d7f6a0b56a4251

SHA256
ad5e3cdb60d2d58b373135ac2c3e2cbf1a854df9764b12f7c3f81c64cf628434

SHA512
262b624c363e1d810dc76fd877a9699bfff7e440e909cb317b3ceaf577b0fd1a3e715f9814d1eb26bf800518caf202b64cf4c823fa491a5ae21b4376701f087d

Download Submit
\??\c:\Windows\System32\CSC882A03F7D2E94BCB88E12841C2F31668.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/488-59-0x000000001B940000-0x000000001BA0D000-memory.dmp

Filesize
820KB

Download
memory/488-60-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/1180-32-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-2-0x000000001AD60000-0x000000001AE32000-memory.dmp

Filesize
840KB

Download
memory/1180-15-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/1180-17-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-6-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-28-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-8-0x00000000022D0000-0x00000000022EC000-memory.dmp

Filesize
112KB

Download
memory/1180-5-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1180-3-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-13-0x00000000022B0000-0x00000000022BE000-memory.dmp

Filesize
56KB

Download
memory/1180-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/1180-45-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-48-0x000000001B650000-0x000000001B71D000-memory.dmp

Filesize
820KB

Download
memory/1180-1-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1180-49-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1180-11-0x00000000022F0000-0x0000000002308000-memory.dmp

Filesize
96KB

Download
memory/1180-9-0x000000001B250000-0x000000001B2A0000-memory.dmp

Filesize
320KB

Download