dcrat | a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsSavesSessionDll/agentreviewPerf.exe
Size

2.3MB
MD5

4e69fcf73418a08fcb8b3e7e2ecb43c4
SHA1

a3ecd09f65ca4e7821a0b7f8596edcd679573f5b
SHA256

fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4
SHA512

a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3
SSDEEP

49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 54 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2116	schtasks.exe
2400	schtasks.exe
952	schtasks.exe
2244	schtasks.exe
2500	schtasks.exe
588	schtasks.exe
2972	schtasks.exe
904	schtasks.exe
808	schtasks.exe
2304	schtasks.exe
2648	schtasks.exe
1812	schtasks.exe
2360	schtasks.exe
1328	schtasks.exe
2324	schtasks.exe
2724	schtasks.exe
2824	schtasks.exe
2632	schtasks.exe
2836	schtasks.exe
2020	schtasks.exe
396	schtasks.exe
2812	schtasks.exe
2504	schtasks.exe
1340	schtasks.exe
1956	schtasks.exe
2624	schtasks.exe
1008	schtasks.exe
1908	schtasks.exe
544	schtasks.exe
3000	schtasks.exe
1644	schtasks.exe
536	schtasks.exe
288	schtasks.exe
2356	schtasks.exe
2216	schtasks.exe
2172	schtasks.exe
1720	schtasks.exe
1808	schtasks.exe
776	schtasks.exe
2620	schtasks.exe
2372	schtasks.exe
2708	schtasks.exe
2388	schtasks.exe
2004	schtasks.exe
1080	schtasks.exe
2060	schtasks.exe
1960	schtasks.exe
2640	schtasks.exe
1916	schtasks.exe
380	schtasks.exe
1524	schtasks.exe
2436	schtasks.exe
2228	schtasks.exe
2276	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

agentreviewPerf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\de-DE\\dllhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\de-DE\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\", \"C:\\Program Files\\Internet Explorer\\de-DE\\dllhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\", \"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Mail\\csrss.exe\", \"C:\\Windows\\ja-JP\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Windows\\Fonts\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\", \"C:\\Users\\Admin\\Links\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\""	agentreviewPerf.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2660	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral12/memory/2952-1-0x0000000000F90000-0x00000000011E2000-memory.dmp	dcrat
behavioral12/files/0x000500000001a4b3-18.dat	dcrat
behavioral12/memory/1612-53-0x0000000000E20000-0x0000000001072000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid	Process
1612	lsass.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

agentreviewPerf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Links\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\de-DE\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Internet Explorer\\de-DE\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Fonts\\explorer.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Office\\Stationery\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Defender\\en-US\\dwm.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Fonts\\explorer.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agentreviewPerf = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\DVD Maker\\de-DE\\audiodg.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\agentreviewPerf = "\"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Web.Abstract#\\3112fe15b1994ff59b169cf7ce997e71\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Links\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ja-JP\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\ja-JP\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\smss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\OSPPSVC.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	agentreviewPerf.exe

Drops file in Program Files directory 16 IoCs

Processes:

agentreviewPerf.exe

description	ioc	Process
File created	C:\Program Files\DVD Maker\de-DE\42af1c969fbb7b	agentreviewPerf.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	agentreviewPerf.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\dllhost.exe	agentreviewPerf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\1610b97d3ab4a7	agentreviewPerf.exe
File created	C:\Program Files\Windows Mail\csrss.exe	agentreviewPerf.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	agentreviewPerf.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\5940a34987c991	agentreviewPerf.exe
File created	C:\Program Files\Windows Defender\en-US\dwm.exe	agentreviewPerf.exe
File created	C:\Program Files\Windows Defender\en-US\6cb0b6c459d5d3	agentreviewPerf.exe
File created	C:\Program Files\Internet Explorer\de-DE\5940a34987c991	agentreviewPerf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\OSPPSVC.exe	agentreviewPerf.exe
File created	C:\Program Files\VideoLAN\VLC\csrss.exe	agentreviewPerf.exe
File created	C:\Program Files\VideoLAN\VLC\886983d96e3d3e	agentreviewPerf.exe
File created	C:\Program Files\DVD Maker\de-DE\audiodg.exe	agentreviewPerf.exe
File created	C:\Program Files\Internet Explorer\de-DE\dllhost.exe	agentreviewPerf.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	agentreviewPerf.exe

Drops file in Windows directory 6 IoCs

Processes:

agentreviewPerf.exe

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\agentreviewPerf.exe	agentreviewPerf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\12c1d5d6343a58	agentreviewPerf.exe
File created	C:\Windows\ja-JP\sppsvc.exe	agentreviewPerf.exe
File created	C:\Windows\ja-JP\0a1fd5f707cd16	agentreviewPerf.exe
File created	C:\Windows\Fonts\explorer.exe	agentreviewPerf.exe
File created	C:\Windows\Fonts\7a0fd90576e088	agentreviewPerf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2648	schtasks.exe
1808	schtasks.exe
1080	schtasks.exe
2620	schtasks.exe
2500	schtasks.exe
2624	schtasks.exe
2632	schtasks.exe
2304	schtasks.exe
536	schtasks.exe
2504	schtasks.exe
3000	schtasks.exe
2972	schtasks.exe
2388	schtasks.exe
952	schtasks.exe
2812	schtasks.exe
2836	schtasks.exe
2060	schtasks.exe
2216	schtasks.exe
396	schtasks.exe
2436	schtasks.exe
1340	schtasks.exe
2324	schtasks.exe
2276	schtasks.exe
1720	schtasks.exe
2372	schtasks.exe
2356	schtasks.exe
380	schtasks.exe
1524	schtasks.exe
808	schtasks.exe
2116	schtasks.exe
2228	schtasks.exe
1328	schtasks.exe
2824	schtasks.exe
1812	schtasks.exe
1644	schtasks.exe
1908	schtasks.exe
2400	schtasks.exe
2708	schtasks.exe
2172	schtasks.exe
904	schtasks.exe
2020	schtasks.exe
2004	schtasks.exe
2360	schtasks.exe
2724	schtasks.exe
1960	schtasks.exe
1008	schtasks.exe
544	schtasks.exe
1916	schtasks.exe
288	schtasks.exe
588	schtasks.exe
776	schtasks.exe
2244	schtasks.exe
1956	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

agentreviewPerf.exelsass.exe

pid	Process
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
2952	agentreviewPerf.exe
1612	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentreviewPerf.exelsass.exe

description	pid	Process
Token: SeDebugPrivilege	2952	agentreviewPerf.exe
Token: SeDebugPrivilege	1612	lsass.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

agentreviewPerf.exe

description	pid	Process	procid_target
PID 2952 wrote to memory of 1612	2952	agentreviewPerf.exe	85
PID 2952 wrote to memory of 1612	2952	agentreviewPerf.exe	85
PID 2952 wrote to memory of 1612	2952	agentreviewPerf.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe
"C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
  "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\agentreviewPerf.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerf" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\agentreviewPerf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\agentreviewPerf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe

Filesize
2.3MB

MD5
4e69fcf73418a08fcb8b3e7e2ecb43c4

SHA1
a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

SHA256
fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

SHA512
a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

Download Submit
memory/1612-53-0x0000000000E20000-0x0000000001072000-memory.dmp

Filesize
2.3MB

Download
memory/2952-6-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2952-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2952-4-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2952-5-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/2952-0-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

Filesize
4KB

Download
memory/2952-7-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2952-8-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2952-9-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2952-2-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-1-0x0000000000F90000-0x00000000011E2000-memory.dmp

Filesize
2.3MB

Download
memory/2952-54-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download