dcrat | 87a4b8833cd4cb394e3b19b1672491575466fe8b0afb935b7d9363a1cbaca59d

General

Target

5216ca61384f1d0eaa9b873e0b756f0b.exe
Size

1.1MB
MD5

5216ca61384f1d0eaa9b873e0b756f0b
SHA1

c29692709f869ebc5743f561c8f3975b2a2d5ae9
SHA256

87a4b8833cd4cb394e3b19b1672491575466fe8b0afb935b7d9363a1cbaca59d
SHA512

8dce4092b5a9c10309228a55f0a9a6d3508eae2f1f8bf26e2196f4426398d35d2618cc001d5665be5b24cfb138c46153c74b3b56e37d26e8ec7b8c0ebbd11758
SSDEEP

24576:U2G/nvxW3Ww0t7EJyn5ySinOYEI09IlOmLdRz4:UbA307EJ3tEI06Rs

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2744	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Msdhcp\MsWebfont.exe	dcrat
behavioral1/memory/2100-13-0x0000000000260000-0x0000000000336000-memory.dmp	dcrat
behavioral1/memory/1612-43-0x00000000008E0000-0x00000000009B6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

MsWebfont.exelsm.exe

pid process

2100 MsWebfont.exe
1612 lsm.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe
1700 cmd.exe

pid	process
2100	MsWebfont.exe
1612	lsm.exe

pid	process
1700	cmd.exe
1700	cmd.exe

Drops file in Program Files directory 6 IoCs

Processes:

MsWebfont.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\winlogon.exe	MsWebfont.exe
File created	C:\Program Files\MSBuild\Microsoft\cc11b995f2a76d	MsWebfont.exe
File created	C:\Program Files\Windows Journal\it-IT\WmiPrvSE.exe	MsWebfont.exe
File created	C:\Program Files\Windows Journal\it-IT\24dbde2999530e	MsWebfont.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	MsWebfont.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	MsWebfont.exe

Drops file in Windows directory 7 IoCs

Processes:

MsWebfont.exe

description	ioc	process
File created	C:\Windows\DigitalLocker\lsm.exe	MsWebfont.exe
File created	C:\Windows\DigitalLocker\101b941d020240	MsWebfont.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-privacy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_47fcc022dc7f8167\WMIADAP.exe	MsWebfont.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\smss.exe	MsWebfont.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\69ddcba757bf72	MsWebfont.exe
File created	C:\Windows\TAPI\WMIADAP.exe	MsWebfont.exe
File created	C:\Windows\TAPI\75a57c1bdf437c	MsWebfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe5216ca61384f1d0eaa9b873e0b756f0b.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5216ca61384f1d0eaa9b873e0b756f0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2888	schtasks.exe
2816	schtasks.exe
2680	schtasks.exe
1964	schtasks.exe
2508	schtasks.exe
2140	schtasks.exe
448	schtasks.exe
1292	schtasks.exe
1864	schtasks.exe
2428	schtasks.exe
2612	schtasks.exe
2324	schtasks.exe
1028	schtasks.exe
2472	schtasks.exe
2848	schtasks.exe
2844	schtasks.exe
2644	schtasks.exe
1868	schtasks.exe
1516	schtasks.exe
1664	schtasks.exe
1912	schtasks.exe
496	schtasks.exe
2664	schtasks.exe
2668	schtasks.exe
2304	schtasks.exe
2028	schtasks.exe
2004	schtasks.exe
2836	schtasks.exe
1880	schtasks.exe
2804	schtasks.exe
1684	schtasks.exe
2036	schtasks.exe
2188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MsWebfont.exelsm.exe

pid process

2100 MsWebfont.exe
2100 MsWebfont.exe
2100 MsWebfont.exe
1612 lsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MsWebfont.exelsm.exe

description pid process

Token: SeDebugPrivilege 2100 MsWebfont.exe
Token: SeDebugPrivilege 1612 lsm.exe

pid	process
2100	MsWebfont.exe
2100	MsWebfont.exe
2100	MsWebfont.exe
1612	lsm.exe

description	pid	process
Token: SeDebugPrivilege	2100	MsWebfont.exe
Token: SeDebugPrivilege	1612	lsm.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5216ca61384f1d0eaa9b873e0b756f0b.exeWScript.execmd.exeMsWebfont.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 1124	2512	5216ca61384f1d0eaa9b873e0b756f0b.exe	WScript.exe
PID 2512 wrote to memory of 1124	2512	5216ca61384f1d0eaa9b873e0b756f0b.exe	WScript.exe
PID 2512 wrote to memory of 1124	2512	5216ca61384f1d0eaa9b873e0b756f0b.exe	WScript.exe
PID 2512 wrote to memory of 1124	2512	5216ca61384f1d0eaa9b873e0b756f0b.exe	WScript.exe
PID 1124 wrote to memory of 1700	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1700	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1700	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1700	1124	WScript.exe	cmd.exe
PID 1700 wrote to memory of 2100	1700	cmd.exe	MsWebfont.exe
PID 1700 wrote to memory of 2100	1700	cmd.exe	MsWebfont.exe
PID 1700 wrote to memory of 2100	1700	cmd.exe	MsWebfont.exe
PID 1700 wrote to memory of 2100	1700	cmd.exe	MsWebfont.exe
PID 2100 wrote to memory of 2024	2100	MsWebfont.exe	cmd.exe
PID 2100 wrote to memory of 2024	2100	MsWebfont.exe	cmd.exe
PID 2100 wrote to memory of 2024	2100	MsWebfont.exe	cmd.exe
PID 2024 wrote to memory of 2364	2024	cmd.exe	w32tm.exe
PID 2024 wrote to memory of 2364	2024	cmd.exe	w32tm.exe
PID 2024 wrote to memory of 2364	2024	cmd.exe	w32tm.exe
PID 2024 wrote to memory of 1612	2024	cmd.exe	lsm.exe
PID 2024 wrote to memory of 1612	2024	cmd.exe	lsm.exe
PID 2024 wrote to memory of 1612	2024	cmd.exe	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5216ca61384f1d0eaa9b873e0b756f0b.exe
"C:\Users\Admin\AppData\Local\Temp\5216ca61384f1d0eaa9b873e0b756f0b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Msdhcp\kYflM234aT9Hkuk3JQCzywjVnA9.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Msdhcp\tQvStNv.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Msdhcp\MsWebfont.exe
      "C:\Msdhcp\MsWebfont.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ADdO9VEAN2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2364
      - C:\Windows\DigitalLocker\lsm.exe
        
        "C:\Windows\DigitalLocker\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Msdhcp\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Msdhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Msdhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Msdhcp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Msdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Msdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\TAPI\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Msdhcp\kYflM234aT9Hkuk3JQCzywjVnA9.vbe

Filesize
190B

MD5
4879ca936544d01129cb0dec0b708d3d

SHA1
53122a833a136039a3c3ace69fff24fb10e6e6c5

SHA256
3db689b9b2dbb3730a26f8b7a4d9e9724aac2c24810015e41c1b5ba73681a724

SHA512
8097473a86ed3d72fe70ae1fe269f217632a36d27f074ba4317fd98d529cd390ee6c890e560a8728e386158b8ea83d3f6c1d9a739dbe282e7e0bac1052b7e47c

Download Submit
C:\Msdhcp\tQvStNv.bat

Filesize
25B

MD5
1b3f947bdc497eb9f7fa4d4f975e3354

SHA1
c3114bc2b359b592dda481bf881c64b45d15c641

SHA256
2e71a1366a0e31635d8c67f168aeefe58eaed85aaf91762c52d2da837232f4d3

SHA512
8552c68c08ce5f70c8d8b8e360dfdf607142684fa046d1c434207d07cbf5a6262ff5d8b505ce8413d76da7e5954db4fd7d9f15bea7fe367ad2d0a731a2983ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADdO9VEAN2.bat

Filesize
197B

MD5
1a1d718e675124386a444a7bf040c60f

SHA1
fb3fd7434f33b2b180551d53f748a4cc33591037

SHA256
0f38ab94e1872fb9ef31e2bc9ad61bf16295f22478d06ccaeefaa5f87b260ea5

SHA512
02f2025d8efed0f4cf730da9254fb46709c77d4f307ee2f52087b68a3221815fc00cfb60b160f67b47a407f8f76541c06816fac6984315f56926a7d97d7e59f6

Download Submit
\Msdhcp\MsWebfont.exe

Filesize
827KB

MD5
ec7c50f1bebb1402b88fa756af1b3f4c

SHA1
82e1c02d54d7212efe8c6cdb40b811a134900bf0

SHA256
9d96e194f9c8eaae557943041df2f29f88a4557b4f2e79b2d89a149ad8e93ab1

SHA512
97bb7773be2d5471ba49914f2ab698e4c0142a001cd5fface4fca189cea22cb77c856bd314d97b574216e756219a72c541efa7084ffdbb924a2b578c3aa1bf02

Download Submit
memory/1612-43-0x00000000008E0000-0x00000000009B6000-memory.dmp

Filesize
856KB

Download
memory/2100-13-0x0000000000260000-0x0000000000336000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads