dcrat | 2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9

Analysis

max time kernel
63s
max time network
152s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
Size

1.9MB
MD5

8fdbd9a0a9390964373271dd09b991ba
SHA1

78a4d4c43b894a8227b25be8f61f7aa6b8315ab7
SHA256

2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9
SHA512

76a6e750adc8c888bea717bdbb74dad5fe10c1688e1e87a9cb9dfb7caf4e4c5cdd9b9f34ef5aa7577f92bf1349797b04a5edac64c772489cd316d5e71ea9291c
SSDEEP

49152:IBJeP7Q9KggbDv7jsn3JzB6lR6jA+knZY5U:yQPihgvs3JzB6lR6jA+k5

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\", \"C:\\FontCommonsvc\\Idle.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\", \"C:\\FontCommonsvc\\Idle.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\explorer.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\", \"C:\\Windows\\Downloaded Program Files\\dwm.exe\", \"C:\\FontCommonsvc\\Idle.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\explorer.exe\", \"C:\\FontCommonsvc\\Reviewperf.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\""	Reviewperf.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2736	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2736	schtasks.exe	33

Executes dropped EXE 2 IoCs

pid	Process
2188	Reviewperf.exe
696	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\FontCommonsvc\\Idle.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\FontCommonsvc\\Idle.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\explorer.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reviewperf = "\"C:\\FontCommonsvc\\Reviewperf.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\WmiPrvSE.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Downloaded Program Files\\dwm.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\explorer.exe\""	Reviewperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Reviewperf = "\"C:\\FontCommonsvc\\Reviewperf.exe\""	Reviewperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\qrosn9.exe	csc.exe
File created	\??\c:\Windows\System32\CSCC59D1084D1834B388FED861B15CE3A.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\7a0fd90576e088	Reviewperf.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	Reviewperf.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e	Reviewperf.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe	Reviewperf.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe	Reviewperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\dwm.exe	Reviewperf.exe
File created	C:\Windows\Downloaded Program Files\6cb0b6c459d5d3	Reviewperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2268	schtasks.exe
2920	schtasks.exe
1288	schtasks.exe
1456	schtasks.exe
1732	schtasks.exe
2248	schtasks.exe
2132	schtasks.exe
1604	schtasks.exe
2980	schtasks.exe
2480	schtasks.exe
2028	schtasks.exe
2748	schtasks.exe
1080	schtasks.exe
980	schtasks.exe
2444	schtasks.exe
1600	schtasks.exe
2644	schtasks.exe
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
2188	Reviewperf.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe
696	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	Reviewperf.exe
Token: SeDebugPrivilege	696	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2296	2320	2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe	29
PID 2320 wrote to memory of 2296	2320	2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe	29
PID 2320 wrote to memory of 2296	2320	2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe	29
PID 2320 wrote to memory of 2296	2320	2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe	29
PID 2296 wrote to memory of 2792	2296	WScript.exe	30
PID 2296 wrote to memory of 2792	2296	WScript.exe	30
PID 2296 wrote to memory of 2792	2296	WScript.exe	30
PID 2296 wrote to memory of 2792	2296	WScript.exe	30
PID 2792 wrote to memory of 2188	2792	cmd.exe	32
PID 2792 wrote to memory of 2188	2792	cmd.exe	32
PID 2792 wrote to memory of 2188	2792	cmd.exe	32
PID 2792 wrote to memory of 2188	2792	cmd.exe	32
PID 2188 wrote to memory of 832	2188	Reviewperf.exe	37
PID 2188 wrote to memory of 832	2188	Reviewperf.exe	37
PID 2188 wrote to memory of 832	2188	Reviewperf.exe	37
PID 832 wrote to memory of 2532	832	csc.exe	39
PID 832 wrote to memory of 2532	832	csc.exe	39
PID 832 wrote to memory of 2532	832	csc.exe	39
PID 2188 wrote to memory of 1376	2188	Reviewperf.exe	55
PID 2188 wrote to memory of 1376	2188	Reviewperf.exe	55
PID 2188 wrote to memory of 1376	2188	Reviewperf.exe	55
PID 1376 wrote to memory of 2540	1376	cmd.exe	57
PID 1376 wrote to memory of 2540	1376	cmd.exe	57
PID 1376 wrote to memory of 2540	1376	cmd.exe	57
PID 1376 wrote to memory of 2452	1376	cmd.exe	58
PID 1376 wrote to memory of 2452	1376	cmd.exe	58
PID 1376 wrote to memory of 2452	1376	cmd.exe	58
PID 1376 wrote to memory of 696	1376	cmd.exe	59
PID 1376 wrote to memory of 696	1376	cmd.exe	59
PID 1376 wrote to memory of 696	1376	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe
"C:\Users\Admin\AppData\Local\Temp\2308c316e3567e559662ddb17c1639ef790641693d3f570fa040d09746f5eba9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\FontCommonsvc\Reviewperf.exe
      "C:\FontCommonsvc/Reviewperf.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nnofzb11\nnofzb11.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FEB.tmp" "c:\Windows\System32\CSCC59D1084D1834B388FED861B15CE3A.TMP"
        6⤵
        
        PID:2532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MuU6JkZo7t.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2540
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2452
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\FontCommonsvc\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\FontCommonsvc\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\FontCommonsvc\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 8 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Reviewperf" /sc ONLOGON /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ReviewperfR" /sc MINUTE /mo 13 /tr "'C:\FontCommonsvc\Reviewperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontCommonsvc\HyAeUGe8evX8YGRPELkMfoiMVhm6j.vbe

Filesize
211B

MD5
a9a1f7a6b92fba89e3834e2c873adfc4

SHA1
772ef9dc691f442e7466668d82db391cdb82b21f

SHA256
ffdb923e18a1fb4bc92a8b470a53687b1bf2d639fca4c44ee164a61b24f62665

SHA512
c43befd0cd7c3e73fd4539c117819c8634c0c0dc7e89f8fc8ba657d70455aadc1cc06cdfe3a8c4277441a7d48bc260750f3ad16aaca313c09983f6b13177e365

Download Submit
C:\FontCommonsvc\Reviewperf.exe

Filesize
1.6MB

MD5
571b27201bee78cb5f6adf331098cd85

SHA1
8dfb42a7283a61c48fdd0b8ef47e3da2a7f083c6

SHA256
401acf64eff7490635859451768f1fb1f2b4198825b210207e0d7b5b619fb052

SHA512
a3a7d3bd713b90bbda9350c71c3a08ad7e41acd943f361864a85fcd7b13165b9ccf9635a2d7fc839b2ecbd5751371edc9279f04573028f9c9b988c2cc473ccb5

Download Submit
C:\FontCommonsvc\SvhwgsASCbJysKpoNvm.bat

Filesize
92B

MD5
7322619f7c34f49e39fd2100b8daaa0f

SHA1
de93f7e7ab723964e43a45eea808f8524351cd95

SHA256
9f060c6e3fd3bf28f66875ae0c59697d6eafd5b59ed86915f2da227b9177652d

SHA512
69b47c3d08aad08308719a215014340e4e60cde09459f8ecb5cce0e6aca7a69d23f4d438609869d317173c6db274180ebc21ccdf8f8280bd8d11a22d3991d92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuU6JkZo7t.bat

Filesize
252B

MD5
f4fb24d5b186739c3ee9d61d07e4a288

SHA1
97e114e13017afeab0826063b6e67adda961edd4

SHA256
05d308fabab3e6b0ad4d23721f49f974f95361f51cddc508aa212df902ae59fb

SHA512
8097c57b08f3349c6dc9fffa40eb815d29bb5219009720362d878f2f72f17e7db7618872d6e0d8b607e83007b9af4fbd513304e4a2337c1b6da65f5be01b111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FEB.tmp

Filesize
1KB

MD5
3c310c1491766a50369a93266d83acf5

SHA1
f8d34ea0d28dbb89331677bfbb3cfa96c427d3eb

SHA256
f1f6bc7e8dbaf24bf79c5ccaad3a68ed4257c9ec2e3e7949d5dc7868f72c130b

SHA512
6f988c446a3b1aa11fbea5565643f82c1a3a82005138e7fae2ec438b75fd2924d58d5cd290ca4596ac815822013b963dd3b1c3a1bed7685290d6a709e5819d65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nnofzb11\nnofzb11.0.cs

Filesize
408B

MD5
614c18b5c5b11ed6f5286d8c531b4748

SHA1
fd902978e028e055a5f012e48a56af105faa70d4

SHA256
c77a90590ae83d33c5954e1c3bcfc733c1fa730e5813337a704772e21dd2fa29

SHA512
24f7a8f74bb509f492510af3203e4c52e590a8c4bb72b59c9c9a9bb9d1f000a54e28d727a1d09055bbae39fc82f95c935b840a82a54d552a2438389159e21444

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nnofzb11\nnofzb11.cmdline

Filesize
235B

MD5
855002a68a83e64b1d50054eb6ab8805

SHA1
0f24d452af1e47a099badf73776ed25901cc6a45

SHA256
3c2f28e05ff02428c6f76f9c2baf81a7753dc2b7963aa9230ea76bd0c3f872c9

SHA512
d88096b1926a3b36a789cbaee30e73d3c29c27aa193596ccc1987e57141c87715700d00e08c268063a0d70a5e372d3c2f347089de99e14ce76a380c7074a9b1f

Download Submit
\??\c:\Windows\System32\CSCC59D1084D1834B388FED861B15CE3A.TMP

Filesize
1KB

MD5
332eb1c3dc41d312a6495d9ea0a81166

SHA1
1d5c1b68be781b14620d9e98183506f8651f4afd

SHA256
bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

SHA512
2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

Download Submit
memory/696-46-0x00000000013B0000-0x0000000001552000-memory.dmp

Filesize
1.6MB

Download
memory/2188-13-0x0000000000EE0000-0x0000000001082000-memory.dmp

Filesize
1.6MB

Download
memory/2188-15-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download