Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 16:54

General

  • Target

    078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe

  • Size

    3.6MB

  • MD5

    646a50d060ae1b649f0ca735aabf5744

  • SHA1

    a666932e153ef1d2c2463009e0df4de9bdf73322

  • SHA256

    078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

  • SHA512

    0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c

  • SSDEEP

    98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M

Malware Config

Signatures

  • DcRat 46 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 30 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
    "C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\fontMonitor\B6f2SnQ47.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\fontMonitor\chainagent.exe
          "C:\fontMonitor\chainagent.exe"
          4⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2864
          • C:\fontMonitor\chainagent.exe
            "C:\fontMonitor\chainagent.exe"
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1444
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUrHysCUSm.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1992
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2084
                • C:\fontMonitor\chainagent.exe
                  "C:\fontMonitor\chainagent.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • UAC bypass
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:948
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ud3mmyLrwN.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2736
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3068
                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2064
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6777d3d4-48fe-4742-a080-7e0d152a3223.vbs"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1960
                          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                            C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                            11⤵
                            • UAC bypass
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:1464
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8aa07ea-672e-4961-b5ca-4aba837aa92c.vbs"
                              12⤵
                                PID:1780
                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                  C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                  13⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:2288
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4d56ef-62fc-466c-880b-a836589659d0.vbs"
                                    14⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1652
                                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                      C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                      15⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:2256
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eeb2f16-ef38-4659-b8dd-730747ef3b91.vbs"
                                        16⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2736
                                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                          C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
                                          17⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:308
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee00b5c-5a15-4655-acfd-3075ffc51171.vbs"
                                            18⤵
                                              PID:2672
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe679f2-6c3f-43c8-9772-fb5c538633b2.vbs"
                                              18⤵
                                                PID:3004
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c18ed6e5-2855-49db-ba54-82046e6a8aaa.vbs"
                                            16⤵
                                              PID:2292
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53beed78-3c88-41bd-a3d2-53731f85e888.vbs"
                                          14⤵
                                            PID:1152
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ecd642-19a3-470f-98c7-13e660dccc3c.vbs"
                                        12⤵
                                          PID:2948
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\fontMonitor\dllhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1144
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\fontMonitor\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2092
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\fontMonitor\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2692
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:940
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2496
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2188
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2304
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2252
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2112
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2228
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:396
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2288
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2424
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1076
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1592
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1088
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1464
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1924
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:928
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1756
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1092
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2664
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1104
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1636
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1156
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2828
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1120
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1608
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2472
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2236
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2960
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2324
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2900
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1476
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2792
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1376
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2868
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "chainagent" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2404
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2928
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2796
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:868
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:592
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2024
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2360
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2368

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    342B

                    MD5

                    f0eaa93791a996d3044cb360968c25dc

                    SHA1

                    c3917c5d40ccaf6b84de67f58c0dd102bb1b6316

                    SHA256

                    aac3d02ced03c59ef1d4251e10adb2f662a4a61401e92fd8491c177d56141e5c

                    SHA512

                    1bb53b4e9c1344444c07b6a8094851b0b82407bd25c7e3e7934fd89e000b3cfe5c1bedf3eb4c11c8d7e990cdca65cdc9c10a59819593203eea933cd79f7a1202

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    342B

                    MD5

                    0c597227a970d13bd1bb21da1fe9c4e2

                    SHA1

                    1511af24cf00e3eaa4410457de55dd2b0eaaee5f

                    SHA256

                    72acc2492e329b1ef8a8560a1dddc9c777496e8959ec0860262a330a7dfd89ca

                    SHA512

                    16f2116ba6177fed968ebe6d504cb02bbf73c26a7ccb2c34b1b5c633834c37e440b148f78e26aa1fb5fc88b38b92019a6742ddbffd2ae635e99b00f102107690

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    342B

                    MD5

                    bf2ebce3c999eb14d9e9d589305f69e3

                    SHA1

                    2af7e8e2de105ba651d6f96cf2de4546670cb5f4

                    SHA256

                    395a1730b4c8b84673799154aec420c19009bc6711b42bee5f484eb41078a183

                    SHA512

                    9649d6fc9259c2b2b9a11be0a6e9cd0500b3b4085934108f53b0f73395cfc01050ada1c6bc679c0992395a9edb5af64b97abac02672f383fe2cb2c5f45e742ce

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    342B

                    MD5

                    5238fae1b1608a637cf1a1be6804e312

                    SHA1

                    0dc72122c1c9b3d3b0c244bbed64ad5cec30fb89

                    SHA256

                    d12980e2dcd498da412d7e57c3d0b5043f39d06d12712b827b44bfe8db785f31

                    SHA512

                    a1f38e3074f6e5d6c069a81d733f868e323004a2cf5e8a6f95c6fdb2ce0e9a1c1e69eb567287688c73fe7affb2dcf3426f9fe09a82d97b637944d862b4b89ec8

                  • C:\Users\Admin\AppData\Local\Temp\4eeb2f16-ef38-4659-b8dd-730747ef3b91.vbs

                    Filesize

                    736B

                    MD5

                    1742fd38762d119e1209d4514ef49955

                    SHA1

                    cb2a20ae7144487e039050c9451f3d42d5a6960d

                    SHA256

                    18c9e199251289e5db7de9721407e6e0467d631a4e51cc46c5523cd4399a0a0f

                    SHA512

                    fabdc7f19b1bcb2431b740ad7711df92024e4b4bbe6a04865afe970992e7802284f1e315a1e5c5cccc00438086df2b94c5ae1df7a55874120f78bfa637c14463

                  • C:\Users\Admin\AppData\Local\Temp\5a4d56ef-62fc-466c-880b-a836589659d0.vbs

                    Filesize

                    736B

                    MD5

                    c4bef77c16043f2a36669c9c2e6f9190

                    SHA1

                    69131e6ba0258f545eed8d2406dd272e6b309314

                    SHA256

                    0f0e8d40d87c2e3750acbae3f711d73dfa42dee13b0240f74eee64e743fdaf10

                    SHA512

                    a9deb348bab62deb6852c7832d8bdc3e86ded645d95b4a8df556e40e00bac5c013b95ae2565dfa41ec1d07165b648fe8c5c44f90f3fc1a111fb2187517d4037a

                  • C:\Users\Admin\AppData\Local\Temp\6777d3d4-48fe-4742-a080-7e0d152a3223.vbs

                    Filesize

                    736B

                    MD5

                    da148ef07f5e1d35ba7cf63ceca50102

                    SHA1

                    203e3a7ed4cb71fd255d349cf27b7860b7c4419d

                    SHA256

                    7443707c21be5d4d660677547bd65f831b9efe6584e18ccac6d4a7c80d706186

                    SHA512

                    20ebe9fce8621269b7a81a1e26f16b75412ef5218d9f1e9880cb6a5f874f26ae230cf104801fc84387a58f4ebf1730c69d740b3941706c3e7fa597ac71965124

                  • C:\Users\Admin\AppData\Local\Temp\Cab7783.tmp

                    Filesize

                    70KB

                    MD5

                    49aebf8cbd62d92ac215b2923fb1b9f5

                    SHA1

                    1723be06719828dda65ad804298d0431f6aff976

                    SHA256

                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                    SHA512

                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  • C:\Users\Admin\AppData\Local\Temp\Tar77A5.tmp

                    Filesize

                    181KB

                    MD5

                    4ea6026cf93ec6338144661bf1202cd1

                    SHA1

                    a1dec9044f750ad887935a01430bf49322fbdcb7

                    SHA256

                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                    SHA512

                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  • C:\Users\Admin\AppData\Local\Temp\Ud3mmyLrwN.bat

                    Filesize

                    225B

                    MD5

                    c0941cd49b8891cf270687cc97f7eae6

                    SHA1

                    a40b9f4499a131a27615699458387e6ef9250972

                    SHA256

                    11fe6e26985b4e00915251e6bce378ea72b66bd59a740b6f20edb66151968496

                    SHA512

                    8d70cabdfc1f3828665b47d3aba6a9d04b0822313bf66df96f63bebe47cdc86b7a61db84e211eb15a74c22d289edb0d1927c2439d6129cdf9985791f8f967694

                  • C:\Users\Admin\AppData\Local\Temp\YUrHysCUSm.bat

                    Filesize

                    194B

                    MD5

                    22e19736ed9bdcea0beac8dfda793330

                    SHA1

                    c7f929d7d08e9b05a500ef47dbf055feec1fdb7b

                    SHA256

                    fda599c2a08904224d3ad16e5c5c65ea4a4ebee2a64637040b1cb17b256a4d9b

                    SHA512

                    09805ff88a0bea9306660a125570b799b3032601fc40f641bb229d589a00503857e78afe9d897c081aaf33c1f89dfeebe26bea6cb9ff67e2af8e6d1142a19262

                  • C:\Users\Admin\AppData\Local\Temp\d7ecd642-19a3-470f-98c7-13e660dccc3c.vbs

                    Filesize

                    512B

                    MD5

                    fc87d84fc75c277e142af256bdf1e025

                    SHA1

                    765b9d0753d9db873b9585244f48253bd69d5388

                    SHA256

                    964b8a3c28fd5b85efe2806c86fbcf969674c77f587cb7ed633f85727f5c1f0c

                    SHA512

                    2a2e2ba7181f66e7e8dcc906f2611ab10eedf9a72143789ec866a2cf54365d19c3a8bb5c37f26d812df62f83410cfc560160906c2186870a04b62dff9751bb30

                  • C:\Users\Admin\AppData\Local\Temp\eee00b5c-5a15-4655-acfd-3075ffc51171.vbs

                    Filesize

                    735B

                    MD5

                    79e1fcd326916fa8df58a466900c0484

                    SHA1

                    6e115ef44dd8a37c200cb3cfbc29d284cbac83ed

                    SHA256

                    143a32bbabb036e113c7ffe17013bad0bd806ced80b8955f74e172477d9f3c68

                    SHA512

                    a0e6ef631cc0cbab447734fd0c91da3b5d8c8006f1f2d45a981e08827f8903a160c3fc73e4d0c37ab0e0127acdbc741ec7ed4c91bf868dc39ca4612d10182f97

                  • C:\fontMonitor\B6f2SnQ47.bat

                    Filesize

                    31B

                    MD5

                    d919292d76ba6af3f0a7c88b2d07c4fa

                    SHA1

                    0fa76a1456603b525f53d9e787d1a800172afdf8

                    SHA256

                    52bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c

                    SHA512

                    3a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5

                  • C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe

                    Filesize

                    197B

                    MD5

                    692908a9fe7461b9736233b4b217f221

                    SHA1

                    b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d

                    SHA256

                    d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f

                    SHA512

                    f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788

                  • \fontMonitor\chainagent.exe

                    Filesize

                    3.3MB

                    MD5

                    e74be6bbac3ea0713506397d5d6ef541

                    SHA1

                    dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9

                    SHA256

                    58440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7

                    SHA512

                    09f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185

                  • memory/308-532-0x00000000002B0000-0x000000000060C000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/948-66-0x0000000002460000-0x0000000002472000-memory.dmp

                    Filesize

                    72KB

                  • memory/948-65-0x0000000000A40000-0x0000000000D9C000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1444-52-0x000000001AED0000-0x000000001AEE2000-memory.dmp

                    Filesize

                    72KB

                  • memory/1464-206-0x0000000000EE0000-0x000000000123C000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/2064-94-0x00000000000F0000-0x000000000044C000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/2256-413-0x00000000001B0000-0x000000000050C000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/2288-294-0x0000000001090000-0x00000000013EC000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/2864-25-0x00000000006E0000-0x00000000006F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2864-30-0x00000000023F0000-0x00000000023FC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-36-0x000000001AA40000-0x000000001AA4C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-37-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-38-0x000000001AA50000-0x000000001AA5C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-39-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2864-40-0x000000001AC00000-0x000000001AC0E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2864-41-0x000000001AC10000-0x000000001AC18000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-42-0x000000001AC20000-0x000000001AC2E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2864-43-0x000000001AC30000-0x000000001AC3C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-44-0x000000001AC40000-0x000000001AC48000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-45-0x000000001B100000-0x000000001B10A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2864-46-0x000000001B110000-0x000000001B11C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-34-0x00000000025A0000-0x00000000025A8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-33-0x0000000002590000-0x000000000259C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-32-0x0000000002410000-0x0000000002422000-memory.dmp

                    Filesize

                    72KB

                  • memory/2864-31-0x0000000002400000-0x0000000002408000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-35-0x000000001AA30000-0x000000001AA3C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-29-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-28-0x0000000000B90000-0x0000000000B9C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-27-0x0000000002520000-0x0000000002576000-memory.dmp

                    Filesize

                    344KB

                  • memory/2864-26-0x0000000000A00000-0x0000000000A0A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2864-24-0x00000000006C0000-0x00000000006C8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-23-0x00000000006F0000-0x00000000006FC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2864-22-0x00000000006D0000-0x00000000006E2000-memory.dmp

                    Filesize

                    72KB

                  • memory/2864-21-0x00000000006B0000-0x00000000006B8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-20-0x0000000000680000-0x0000000000696000-memory.dmp

                    Filesize

                    88KB

                  • memory/2864-19-0x0000000000670000-0x0000000000680000-memory.dmp

                    Filesize

                    64KB

                  • memory/2864-18-0x0000000000660000-0x0000000000668000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-17-0x0000000000640000-0x000000000065C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2864-16-0x0000000000630000-0x0000000000638000-memory.dmp

                    Filesize

                    32KB

                  • memory/2864-15-0x0000000000620000-0x000000000062E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2864-14-0x0000000000610000-0x000000000061E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2864-13-0x00000000002A0000-0x00000000005FC000-memory.dmp

                    Filesize

                    3.4MB