Overview

overview

10

Static

static

10

ab07eea7bf...29.exe

windows7-x64

10

ab07eea7bf...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

  • Size

    3.4MB

  • MD5

    4626a1483d82cf0be9302c305f6b54c4

  • SHA1

    7f16e6aee9e0967b26e36b11de4654cfbffe2675

  • SHA256

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

  • SHA512

    6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

  • SSDEEP

    49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdpe:xZzU4c5SMXq7miAX2SNty1xPuMyHpe

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 52 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
    "C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sckFRkEX1b.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2324
        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
          "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2884
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a67d36-8114-407f-bf9b-4a60056ab037.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1140
            • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
              "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2100
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6303130a-12c1-40ae-97ca-2cc1244da3dd.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2240
                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2264
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f8827e-ba5f-4d16-9c3f-3aba191f5124.vbs"
                    8⤵
                      PID:2972
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f3b7b50-6eac-4858-a7d9-bbc0e32b88a3.vbs"
                      8⤵
                        PID:2604
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed35a456-9a62-4272-96cb-8f5d2a45c93d.vbs"
                    6⤵
                      PID:2948
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c743fe75-9223-48d8-b1ee-52d08a1c75da.vbs"
                  4⤵
                    PID:2436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1744
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\dwm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:568
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2080
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Microsoft Shared\VGX\lsm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VGX\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\VGX\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3036
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2700
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2808
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2736
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2528
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1468
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:692
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1588
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2116
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2460
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2228
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2564
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2144
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1844
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1020
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2640
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2160
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:704
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:948
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:236
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1500
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1372
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\explorer.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1084
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\My Documents\explorer.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\explorer.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\csrss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1696
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1156
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2148
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3000
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2596
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:932
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:640

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Package Cache\sppsvc.exe
              Filesize

              3.4MB

              MD5

              4626a1483d82cf0be9302c305f6b54c4

              SHA1

              7f16e6aee9e0967b26e36b11de4654cfbffe2675

              SHA256

              ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

              SHA512

              6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\6303130a-12c1-40ae-97ca-2cc1244da3dd.vbs
              Filesize

              751B

              MD5

              fbeb3529caa83bb80ea81ac00d8872b8

              SHA1

              b15676ce53a57886bd920d05eaa3eafbe0ff5264

              SHA256

              2899dc67a5edb467e1e2f76d51aba2f47b5ca4fc9076cc4aa9d3a0bedc9d3486

              SHA512

              dcc054ac769a5401b982dba15574b8ef7183a18fc4ae65bff9c8f132d6f2de50c6df59f6b16f3cb667da316ff19b8250d49f1d889e84b1a578e7693d6d9aa020

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\80f8827e-ba5f-4d16-9c3f-3aba191f5124.vbs
              Filesize

              751B

              MD5

              eafc3af5ee5d6658cd5c8b149440623b

              SHA1

              c493dfdfe349944d71db92d441c45af04cbd2b2a

              SHA256

              6e0c8acd020e887008d3c0d37ce20dbb7dbb4763c762d5fb65e9c6b9b9709ef9

              SHA512

              b3388c6f2c3a34095f259168e59e866935477fcd0dcd73da654abab4627bd2094daf64affa730ee1d431c02e6c964fb87a7ad59034051abcdcc7efcd734c3fcc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\91a67d36-8114-407f-bf9b-4a60056ab037.vbs
              Filesize

              751B

              MD5

              c2484482ec56839a0862e17f5485353e

              SHA1

              879c424301d87b11c117ac6d9386d0c4484601c5

              SHA256

              05a1cfa1837f1f1b95b0199200b2ea6ba944ef25c42f25f959e0f7679a09c88b

              SHA512

              4c3d256348008f133b6f0de614edeba186a3b6580361951b6d6061cc672e2fdb1e69850f9a1e5c2b39d750baa955b5ecbca7c99d42b55220c29bc6fa62803cb4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\c743fe75-9223-48d8-b1ee-52d08a1c75da.vbs
              Filesize

              527B

              MD5

              b5e3bdd01b0793d1e1986b300e650d49

              SHA1

              649241c1d4aa124babe1566da8496b600b7bbb06

              SHA256

              8fa0b1b304cf92a57f0777548ad0d704a6ef9eb963bf0ee0ba561dff0a67b8bf

              SHA512

              b5f6b7becd5bef030eada0b11a28bf59914a3183de8bc09c47c36a209111678cc07db8efdf3aef13b89a0ffe321695902bc6239bd36d509cb505d5069a4ec481

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\sckFRkEX1b.bat
              Filesize

              240B

              MD5

              5d6ea5809a51262fd4aab775f9cba0d8

              SHA1

              f3ee7a280bd7667f37d2a9e8bc16e0181ecbc5a2

              SHA256

              22fb907638bac1c65273ee31261a7e31d786c3081fbad365e2f78522ae1d8b3a

              SHA512

              fec8666c87836288fad9d4f1bc3461291f5ea1b4dde22c2ad392d4cdd6b12ba00ac5a6a202163191aa38cd1591cbb1a41628b52892b636195670db9765568130

              Download Submit

            • memory/2100-91-0x0000000000300000-0x000000000066A000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/2100-92-0x0000000002270000-0x00000000022C6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/2244-19-0x0000000000C60000-0x0000000000C6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-24-0x0000000000E50000-0x0000000000E58000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-5-0x0000000000360000-0x0000000000368000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-6-0x0000000000460000-0x000000000047C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2244-7-0x0000000000490000-0x0000000000498000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-8-0x0000000000520000-0x0000000000530000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-9-0x0000000000530000-0x0000000000546000-memory.dmp

              Filesize

              88KB

              Download

            • memory/2244-10-0x0000000000550000-0x0000000000558000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-11-0x0000000000580000-0x0000000000592000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2244-12-0x0000000000590000-0x000000000059C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-13-0x0000000000560000-0x0000000000568000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-14-0x0000000000570000-0x0000000000580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2244-15-0x00000000005A0000-0x00000000005AA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2244-16-0x0000000000BF0000-0x0000000000C46000-memory.dmp

              Filesize

              344KB

              Download

            • memory/2244-17-0x0000000000C40000-0x0000000000C4C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-18-0x0000000000C50000-0x0000000000C58000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-3-0x0000000000140000-0x000000000014E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2244-20-0x0000000000C70000-0x0000000000C78000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-21-0x0000000000D00000-0x0000000000D12000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2244-22-0x0000000000E30000-0x0000000000E3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-23-0x0000000000E40000-0x0000000000E4C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-4-0x0000000000350000-0x000000000035E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2244-25-0x0000000000E60000-0x0000000000E6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-26-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-27-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-28-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-29-0x0000000001000000-0x000000000100A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2244-30-0x0000000001010000-0x000000000101E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2244-31-0x0000000001020000-0x0000000001028000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-32-0x0000000001030000-0x000000000103E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2244-33-0x0000000001040000-0x0000000001048000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-34-0x0000000001150000-0x000000000115C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-35-0x000000001AF20000-0x000000001AF28000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2244-36-0x000000001AF30000-0x000000001AF3A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2244-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2244-1-0x0000000001160000-0x00000000014CA000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/2244-37-0x000000001AF40000-0x000000001AF4C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2244-76-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2244-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2264-105-0x0000000000610000-0x0000000000622000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2264-104-0x0000000000850000-0x0000000000BBA000-memory.dmp

              Filesize

              3.4MB

              Download

            • memory/2884-80-0x0000000000340000-0x00000000006AA000-memory.dmp

              Filesize

              3.4MB

              Download