dcrat | e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908

Analysis

max time kernel
135s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
Size

2.0MB
MD5

38924c8184bf5944da2ac3e5cd987da2
SHA1

1af0d4b729dd9c3a42c197a4ec961cab5722adda
SHA256

e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908
SHA512

225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61
SSDEEP

24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\csrss.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dec6C79.tmp.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dec6C79.tmp.exe\", \"C:\\Windows\\SoftwareDistribution\\dllhost.exe\""	dec6C79.tmp

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	484	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	484	schtasks.exe	32

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012266-4.dat	family_dcrat_v2
behavioral1/memory/2904-7-0x0000000000B20000-0x0000000000CD6000-memory.dmp	family_dcrat_v2
behavioral1/memory/2548-107-0x00000000009B0000-0x0000000000B66000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2436	powershell.exe
2996	powershell.exe
2316	powershell.exe
1796	powershell.exe
1148	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	dec6C79.tmp
2548	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SoftwareDistribution\\dllhost.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\csrss.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\csrss.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dec6C79.tmp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dec6C79.tmp.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dec6C79.tmp = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dec6C79.tmp.exe\""	dec6C79.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SoftwareDistribution\\dllhost.exe\""	dec6C79.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB093B9BFEACE4D40B7A4914DA9FA71C2.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\df2a78106942fb	dec6C79.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\dec6C79.tmp.exe	dec6C79.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\dllhost.exe	dec6C79.tmp
File created	C:\Windows\SoftwareDistribution\5940a34987c991	dec6C79.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2032	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
1904	schtasks.exe
2340	schtasks.exe
2964	schtasks.exe
1144	schtasks.exe
2492	schtasks.exe
1596	schtasks.exe
2784	schtasks.exe
1644	schtasks.exe
2968	schtasks.exe
2948	schtasks.exe
1940	schtasks.exe
2568	schtasks.exe
1832	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp
2904	dec6C79.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	dec6C79.tmp
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2548	OSPPSVC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	OSPPSVC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2904	2848	e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe	31
PID 2848 wrote to memory of 2904	2848	e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe	31
PID 2848 wrote to memory of 2904	2848	e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe	31
PID 2904 wrote to memory of 2292	2904	dec6C79.tmp	36
PID 2904 wrote to memory of 2292	2904	dec6C79.tmp	36
PID 2904 wrote to memory of 2292	2904	dec6C79.tmp	36
PID 2292 wrote to memory of 400	2292	csc.exe	38
PID 2292 wrote to memory of 400	2292	csc.exe	38
PID 2292 wrote to memory of 400	2292	csc.exe	38
PID 2904 wrote to memory of 1148	2904	dec6C79.tmp	51
PID 2904 wrote to memory of 1148	2904	dec6C79.tmp	51
PID 2904 wrote to memory of 1148	2904	dec6C79.tmp	51
PID 2904 wrote to memory of 1796	2904	dec6C79.tmp	52
PID 2904 wrote to memory of 1796	2904	dec6C79.tmp	52
PID 2904 wrote to memory of 1796	2904	dec6C79.tmp	52
PID 2904 wrote to memory of 2316	2904	dec6C79.tmp	53
PID 2904 wrote to memory of 2316	2904	dec6C79.tmp	53
PID 2904 wrote to memory of 2316	2904	dec6C79.tmp	53
PID 2904 wrote to memory of 2436	2904	dec6C79.tmp	54
PID 2904 wrote to memory of 2436	2904	dec6C79.tmp	54
PID 2904 wrote to memory of 2436	2904	dec6C79.tmp	54
PID 2904 wrote to memory of 2996	2904	dec6C79.tmp	55
PID 2904 wrote to memory of 2996	2904	dec6C79.tmp	55
PID 2904 wrote to memory of 2996	2904	dec6C79.tmp	55
PID 2904 wrote to memory of 1964	2904	dec6C79.tmp	61
PID 2904 wrote to memory of 1964	2904	dec6C79.tmp	61
PID 2904 wrote to memory of 1964	2904	dec6C79.tmp	61
PID 1964 wrote to memory of 1504	1964	cmd.exe	63
PID 1964 wrote to memory of 1504	1964	cmd.exe	63
PID 1964 wrote to memory of 1504	1964	cmd.exe	63
PID 1964 wrote to memory of 2032	1964	cmd.exe	64
PID 1964 wrote to memory of 2032	1964	cmd.exe	64
PID 1964 wrote to memory of 2032	1964	cmd.exe	64
PID 1964 wrote to memory of 2548	1964	cmd.exe	65
PID 1964 wrote to memory of 2548	1964	cmd.exe	65
PID 1964 wrote to memory of 2548	1964	cmd.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe
"C:\Users\Admin\AppData\Local\Temp\e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\dec6C79.tmp
  C:\Users\Admin\AppData\Local\Temp\dec6C79.tmp
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euynnqby\euynnqby.cmdline"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES785B.tmp" "c:\Windows\System32\CSCB093B9BFEACE4D40B7A4914DA9FA71C2.TMP"
      4⤵
      PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dec6C79.tmp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rbwu3c5uDW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1504
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2032
  - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
      "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dec6C79.tmpd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\dec6C79.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dec6C79.tmp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dec6C79.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dec6C79.tmpd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\dec6C79.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES785B.tmp

Filesize
1KB

MD5
59b676bf471e2ff70a1f1b89cf24125b

SHA1
ab688bbd7724348f37e89c0c6243c1a998569bdc

SHA256
480d1c1c3064288bdd0b8aa5c65955a73baedc945b1f10f155dc590de72d8f10

SHA512
182b24a28ec3f797abc50da27cf1588d2412164ea49658475dd06af6b426e98bdd178e9fff701f634f6db99da422b619ff5591fc3c619645099265e88ccd6ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\dec6C79.tmp

Filesize
1.7MB

MD5
37d00592110ca3cc53b7f6ca6ab1c82a

SHA1
86e13c84c33969081fe59d123e3cf81e9b3e5674

SHA256
5acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9

SHA512
618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbwu3c5uDW.bat

Filesize
188B

MD5
c7a73a27d9c74b2fd79d2a2ff89451ab

SHA1
6b18cc39a9f66c72494a8064f7fb071fff277044

SHA256
bd81565a54ff5bca86d1717454b73a2883c2ba9c75fb52b7cc13783eb67d2419

SHA512
f609d2619c58f627d0a90830676e5817b20edcbe02c27fea72ffc1946fc5b4df68dbf15e300aaa8fa9003b55c8441f40b5fefc905393d793a1f4ef2f518c2b49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
79a4b2fa3c12ec89f6827e367ef9d6d1

SHA1
cd631ae94ce1aceab82e9c00a470698ef29d0b52

SHA256
e054769605f3ae715900486d5022be2113a3badc28c04061fa5a39b23f34f5c2

SHA512
6338a7cd47b8c9519ec0ac5bc84dc3687cfd773969cb7b4054b82d1c99645aba9fbed1da3d6ac4f44fd7c178b1982723b92bc34747c53e40b4877630c5635ab3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euynnqby\euynnqby.0.cs

Filesize
392B

MD5
4f345fd34a98faa2c3113fe5c43470f4

SHA1
11cf8b5db104284ad6a5a8874754e465870da536

SHA256
a56e53c6938ce949a919aaa3bc6bcef50712b16bf33ec11f32d20ebbf1765297

SHA512
e38bb844f11a4195929a126c66d790066a430a497507d7261712d00f2f5700cf08711af31d4cd3a9bdef4be843efd771261eb12737f1c394fcc672641bca9e3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euynnqby\euynnqby.cmdline

Filesize
235B

MD5
35cb2ed96e0d556e791e40007fa266f2

SHA1
cfc246e0d94368121e3a93eeba4baed387e0e53c

SHA256
e6671bb6a11ed6a352b6872fdc1c46e3d4090f83f93cf4403d579a9a836d386b

SHA512
9b8695e4b59ff14610d15097083c6635521992bc895bdb9e988e57619f13f28f3080c4087cec588530cd97d16aafdf17797c4c7a3c07fb24609b792227695bd7

Download Submit
\??\c:\Windows\System32\CSCB093B9BFEACE4D40B7A4914DA9FA71C2.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
memory/1796-85-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1796-87-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2548-107-0x00000000009B0000-0x0000000000B66000-memory.dmp

Filesize
1.7MB

Download
memory/2848-104-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2904-29-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2904-43-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2904-17-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2904-15-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/2904-31-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2904-33-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-32-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-21-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2904-27-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-35-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2904-39-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2904-37-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2904-41-0x0000000000A90000-0x0000000000AEA000-memory.dmp

Filesize
360KB

Download
memory/2904-19-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-45-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2904-47-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/2904-49-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2904-22-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-24-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2904-26-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2904-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-13-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-12-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2904-10-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2904-102-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-8-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-7-0x0000000000B20000-0x0000000000CD6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-6-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download