dcrat | 7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9040D1F68050A9B2533AC7E8B59C2AA0.exe
Size

3.4MB
MD5

9040d1f68050a9b2533ac7e8b59c2aa0
SHA1

1b38a5284d4510423c0c4ac77066fc6eb41b9286
SHA256

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
SHA512

e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39
SSDEEP

49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy:nuEktPuu1qbhwDoWHgt+5JZS8fy

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2660	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2660	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3048-1-0x0000000000AE0000-0x0000000000E4A000-memory.dmp	dcrat
behavioral1/files/0x0007000000019506-46.dat	dcrat
behavioral1/memory/2904-62-0x00000000012A0000-0x000000000160A000-memory.dmp	dcrat
behavioral1/memory/2104-74-0x00000000013B0000-0x000000000171A000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2904	Idle.exe
2104	Idle.exe
2312	Idle.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
10	pastebin.com
14	pastebin.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\b75386f1303e64	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	9040D1F68050A9B2533AC7E8B59C2AA0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\taskhost.exe	9040D1F68050A9B2533AC7E8B59C2AA0.exe
File created	C:\Windows\Migration\WTR\b75386f1303e64	9040D1F68050A9B2533AC7E8B59C2AA0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2560	schtasks.exe
2584	schtasks.exe
2000	schtasks.exe
1936	schtasks.exe
2744	schtasks.exe
2716	schtasks.exe
1876	schtasks.exe
1944	schtasks.exe
2648	schtasks.exe
2132	schtasks.exe
688	schtasks.exe
2552	schtasks.exe
860	schtasks.exe
1964	schtasks.exe
1704	schtasks.exe
1684	schtasks.exe
2312	schtasks.exe
1624	schtasks.exe
2852	schtasks.exe
2708	schtasks.exe
2736	schtasks.exe
1720	schtasks.exe
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe
2904	Idle.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Token: SeDebugPrivilege	2904	Idle.exe
Token: SeDebugPrivilege	2104	Idle.exe
Token: SeDebugPrivilege	2312	Idle.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2880	3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe	55
PID 3048 wrote to memory of 2880	3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe	55
PID 3048 wrote to memory of 2880	3048	9040D1F68050A9B2533AC7E8B59C2AA0.exe	55
PID 2880 wrote to memory of 2516	2880	cmd.exe	57
PID 2880 wrote to memory of 2516	2880	cmd.exe	57
PID 2880 wrote to memory of 2516	2880	cmd.exe	57
PID 2880 wrote to memory of 2904	2880	cmd.exe	59
PID 2880 wrote to memory of 2904	2880	cmd.exe	59
PID 2880 wrote to memory of 2904	2880	cmd.exe	59
PID 2904 wrote to memory of 2144	2904	Idle.exe	60
PID 2904 wrote to memory of 2144	2904	Idle.exe	60
PID 2904 wrote to memory of 2144	2904	Idle.exe	60
PID 2904 wrote to memory of 1464	2904	Idle.exe	61
PID 2904 wrote to memory of 1464	2904	Idle.exe	61
PID 2904 wrote to memory of 1464	2904	Idle.exe	61
PID 2144 wrote to memory of 2104	2144	WScript.exe	62
PID 2144 wrote to memory of 2104	2144	WScript.exe	62
PID 2144 wrote to memory of 2104	2144	WScript.exe	62
PID 2104 wrote to memory of 1440	2104	Idle.exe	63
PID 2104 wrote to memory of 1440	2104	Idle.exe	63
PID 2104 wrote to memory of 1440	2104	Idle.exe	63
PID 2104 wrote to memory of 2004	2104	Idle.exe	64
PID 2104 wrote to memory of 2004	2104	Idle.exe	64
PID 2104 wrote to memory of 2004	2104	Idle.exe	64
PID 1440 wrote to memory of 2312	1440	WScript.exe	65
PID 1440 wrote to memory of 2312	1440	WScript.exe	65
PID 1440 wrote to memory of 2312	1440	WScript.exe	65
PID 2312 wrote to memory of 2880	2312	Idle.exe	66
PID 2312 wrote to memory of 2880	2312	Idle.exe	66
PID 2312 wrote to memory of 2880	2312	Idle.exe	66
PID 2312 wrote to memory of 328	2312	Idle.exe	67
PID 2312 wrote to memory of 328	2312	Idle.exe	67
PID 2312 wrote to memory of 328	2312	Idle.exe	67

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9040D1F68050A9B2533AC7E8B59C2AA0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9040D1F68050A9B2533AC7E8B59C2AA0.exe
"C:\Users\Admin\AppData\Local\Temp\9040D1F68050A9B2533AC7E8B59C2AA0.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2516
- - C:\Users\Admin\SendTo\Idle.exe
    "C:\Users\Admin\SendTo\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35fe63bf-df48-4cfa-8584-d42e245e1def.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2104
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fbe2434-1bc7-4243-8b19-f5a10d908d51.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\SendTo\Idle.exe
        
        C:\Users\Admin\SendTo\Idle.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0058c869-4c1a-4a40-a741-119ca7924be3.vbs"
        8⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\551e2097-d36c-46ac-bcd2-ba1f5d2e824c.vbs"
        8⤵
        
        PID:328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91530a30-0a76-422e-b433-7ed8fc913167.vbs"
        6⤵
        
        PID:2004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37b36f65-f32b-481b-a1f4-3043ab2f2006.vbs"
      4⤵
      PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0058c869-4c1a-4a40-a741-119ca7924be3.vbs

Filesize
706B

MD5
ed1f456a2cb947677113875be08fcc99

SHA1
b6590f0056e72d6bb3a0c9f29ab56dc5162523b3

SHA256
f767ee330d7b35b5ed2df76e2be934cc1834b4d37d3f8cebc0d83d6f781b3dbb

SHA512
e4beba8975e6f68caeaee96d8305f9ef8d0201a43567a6d17f17a38ecf1580cb49338b8a7673614eaf52cf56ef635005b32280bbbda5983bc7db3d4ae01c8a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\35fe63bf-df48-4cfa-8584-d42e245e1def.vbs

Filesize
706B

MD5
a19cd5cadadda7deffd84a29f31f2e18

SHA1
f82ffaca47e00fde22f2bbf8570a11d9068b186a

SHA256
1c67bb323a783012d7dc1b2cde1596e7177fc989d80e2de3d44e3ceec2ea7875

SHA512
fcdd6565ac0cf15ab86b9e95564ee53a27a64f1820466e7ee9c7858cd16c8d94915e851afaf23fd27516500a19cdec6145e4d9fdf312c43eca682b4f24a3aa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\37b36f65-f32b-481b-a1f4-3043ab2f2006.vbs

Filesize
482B

MD5
3672b5d352ad2b51062e92a3099a48a1

SHA1
508911259c2f7824e1007b2748285be22c68e1db

SHA256
210c51c669e52bc81647a1a6f2ecdb09f8662014cec23a097bd95a29d8d8cf85

SHA512
cf1a908760528b91c9e4499c4750aef1355e229eab72b55b1584c28d357a1c027e9cbff271351d87665c4e267257e7477994e1d85d6924a98353710d5f9c1568

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fbe2434-1bc7-4243-8b19-f5a10d908d51.vbs

Filesize
706B

MD5
544614b23ca441c2fb2507c12fa1eb3c

SHA1
d9a842ee26a15ba8ca45091382f8c349b18cd776

SHA256
fedc0d549fac19b75fe19340d2472c2b71e5a3739ee2af4973ff6e6da8b35c62

SHA512
50ba47573392e2c2a32633fb6853d43edd1b6ff884f40851d81531b51ea3064a92f53544637554de01fca0eac0b59d69514921fb95ef828ae1664f94c2bb2b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lohe5CmuHk.bat

Filesize
195B

MD5
3dd6a00bab6340db6924a3d02ff70273

SHA1
570268f726e362bfdd9c15924a16f06a6fb96a09

SHA256
88c5b47d2f3324ead64b3d742932cb68d66a941e1769cb9fb9b234ab624282d4

SHA512
86ace738ae4d63312cdfd347b2d01326f2d39249c447e5cabd049cee1738614782dd72fafd7c7a09123161620a733954bce119e443d7640591344917ff035032

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Idle.exe

Filesize
3.4MB

MD5
9040d1f68050a9b2533ac7e8b59c2aa0

SHA1
1b38a5284d4510423c0c4ac77066fc6eb41b9286

SHA256
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

SHA512
e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39

Download Submit
memory/2104-75-0x0000000000680000-0x00000000006D6000-memory.dmp

Filesize
344KB

Download
memory/2104-74-0x00000000013B0000-0x000000000171A000-memory.dmp

Filesize
3.4MB

Download
memory/2312-87-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2904-62-0x00000000012A0000-0x000000000160A000-memory.dmp

Filesize
3.4MB

Download
memory/2904-63-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/3048-28-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/3048-34-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/3048-13-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/3048-15-0x00000000022C0000-0x00000000022CA000-memory.dmp

Filesize
40KB

Download
memory/3048-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/3048-16-0x000000001AA60000-0x000000001AAB6000-memory.dmp

Filesize
344KB

Download
memory/3048-10-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/3048-9-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/3048-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/3048-19-0x000000001AAB0000-0x000000001AABC000-memory.dmp

Filesize
48KB

Download
memory/3048-21-0x000000001AC10000-0x000000001AC22000-memory.dmp

Filesize
72KB

Download
memory/3048-22-0x000000001AC40000-0x000000001AC4C000-memory.dmp

Filesize
48KB

Download
memory/3048-26-0x000000001AC80000-0x000000001AC8C000-memory.dmp

Filesize
48KB

Download
memory/3048-11-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/3048-32-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/3048-31-0x000000001ACD0000-0x000000001ACD8000-memory.dmp

Filesize
32KB

Download
memory/3048-35-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/3048-37-0x000000001B200000-0x000000001B20C000-memory.dmp

Filesize
48KB

Download
memory/3048-36-0x000000001B1F0000-0x000000001B1FA000-memory.dmp

Filesize
40KB

Download
memory/3048-14-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/3048-33-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/3048-30-0x000000001ACC0000-0x000000001ACCE000-memory.dmp

Filesize
56KB

Download
memory/3048-29-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

Filesize
40KB

Download
memory/3048-27-0x000000001AC90000-0x000000001AC98000-memory.dmp

Filesize
32KB

Download
memory/3048-59-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-25-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/3048-24-0x000000001AC60000-0x000000001AC68000-memory.dmp

Filesize
32KB

Download
memory/3048-23-0x000000001AC50000-0x000000001AC5C000-memory.dmp

Filesize
48KB

Download
memory/3048-20-0x000000001AC00000-0x000000001AC08000-memory.dmp

Filesize
32KB

Download
memory/3048-18-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/3048-6-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/3048-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/3048-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/3048-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1-0x0000000000AE0000-0x0000000000E4A000-memory.dmp

Filesize
3.4MB

Download
memory/3048-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3048-17-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/3048-7-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/3048-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download