dcrat | 5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8C6166BFE177A90E76CEA637C0314647.exe
Size

1.8MB
MD5

8c6166bfe177a90e76cea637c0314647
SHA1

50cc236eddfdb6a1395475cd02756aa6a6a47ccc
SHA256

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb
SHA512

e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc
SSDEEP

24576:GjlZB5j1w/GT8jQDv6fDEjvVbCOMn08Fv6vnzpzcTRHU+ZLZej32x2FQ4paPHzIc:St5jdxDy7EjvVbWXsvwZlCt6MaP

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\", \"C:\\Program Files\\WindowsPowerShell\\unsecapp.exe\", \"C:\\Users\\Public\\Libraries\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\", \"C:\\Program Files\\WindowsPowerShell\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\", \"C:\\Program Files\\WindowsPowerShell\\unsecapp.exe\", \"C:\\Users\\Public\\Libraries\\sihost.exe\""	8C6166BFE177A90E76CEA637C0314647.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3540	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3540	schtasks.exe	82

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	8C6166BFE177A90E76CEA637C0314647.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	taskhostw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8C6166BFE177A90E76CEA637C0314647 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\7-Zip\\Lang\\taskhostw.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\System.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Libraries\\sihost.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Libraries\\sihost.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8C6166BFE177A90E76CEA637C0314647 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\unsecapp.exe\""	8C6166BFE177A90E76CEA637C0314647.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9EF36B13797445059F4C126711E9B68F.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\it-IT\29c1c3cc0f7685	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\WindowsPowerShell\unsecapp.exe	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\WindowsPowerShell\29c1c3cc0f7685	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\Google\Chrome\Application\System.exe	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\Google\Chrome\Application\27d1bcfc3c54e0	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\7-Zip\Lang\taskhostw.exe	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files\7-Zip\Lang\ea9f0e6c9e2dcd	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\unsecapp.exe	8C6166BFE177A90E76CEA637C0314647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	8C6166BFE177A90E76CEA637C0314647.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3408	schtasks.exe
1524	schtasks.exe
1376	schtasks.exe
4932	schtasks.exe
4372	schtasks.exe
3584	schtasks.exe
4404	schtasks.exe
3068	schtasks.exe
3736	schtasks.exe
4300	schtasks.exe
1248	schtasks.exe
3644	schtasks.exe
1972	schtasks.exe
3800	schtasks.exe
4364	schtasks.exe
2612	schtasks.exe
2088	schtasks.exe
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe
212	8C6166BFE177A90E76CEA637C0314647.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1600	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	8C6166BFE177A90E76CEA637C0314647.exe
Token: SeDebugPrivilege	1600	taskhostw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2472	212	8C6166BFE177A90E76CEA637C0314647.exe	86
PID 212 wrote to memory of 2472	212	8C6166BFE177A90E76CEA637C0314647.exe	86
PID 2472 wrote to memory of 2544	2472	csc.exe	88
PID 2472 wrote to memory of 2544	2472	csc.exe	88
PID 212 wrote to memory of 4984	212	8C6166BFE177A90E76CEA637C0314647.exe	104
PID 212 wrote to memory of 4984	212	8C6166BFE177A90E76CEA637C0314647.exe	104
PID 4984 wrote to memory of 4620	4984	cmd.exe	106
PID 4984 wrote to memory of 4620	4984	cmd.exe	106
PID 4984 wrote to memory of 2872	4984	cmd.exe	107
PID 4984 wrote to memory of 2872	4984	cmd.exe	107
PID 4984 wrote to memory of 1600	4984	cmd.exe	108
PID 4984 wrote to memory of 1600	4984	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe
"C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b3ncdzma\b3ncdzma.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB621.tmp" "c:\Windows\System32\CSC9EF36B13797445059F4C126711E9B68F.TMP"
    3⤵
    PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZKbbXbE2GP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2872
- - C:\Program Files\7-Zip\Lang\taskhostw.exe
    "C:\Program Files\7-Zip\Lang\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C03146478" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C0314647" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C03146478" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\it-IT\unsecapp.exe

Filesize
1.8MB

MD5
8c6166bfe177a90e76cea637c0314647

SHA1
50cc236eddfdb6a1395475cd02756aa6a6a47ccc

SHA256
5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

SHA512
e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB621.tmp

Filesize
1KB

MD5
671ea9ac04676d46be1be23d42847d7f

SHA1
8f821479037d1b0cd89d304cbcff1c434eb4c909

SHA256
d29b7422a5ecaf6775ede4c3e92d3d4c857cfbd6c4a1f598047f7a4efbb3148f

SHA512
3186e821a9f71ad066f27f453e27df3ea27a8095261bc3c987246c398e4f959c4e321a01dc38bef18a61f8c36f5694263f3b674ec6f6d27cf58ef367a2ef6c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZKbbXbE2GP.bat

Filesize
217B

MD5
a27248bc9a82706af005e6060fbd124f

SHA1
0385392c80c6fbb5e71d03ba8cb918aaa32cb1a2

SHA256
17aed8097e0a8cf7fb19c129d221edb3137b07baec552014a7b17a6c72d72b3d

SHA512
6bc2736a207a808ed4f2f5faeca08335b7484997229be71dacb845e066c3bfc8281ab6beac6934a44bda97e87f0bc0aa052826068f5be1c4049ded5a446ebdc0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b3ncdzma\b3ncdzma.0.cs

Filesize
394B

MD5
2a132f2155848aae189e16634c9123ca

SHA1
6605f27cc65092ad31b1f6e88c2a8889cd93fc7b

SHA256
66734e1d079385a3da90c22f5b6745139c2b7d0324872ca9c6e861b03041f990

SHA512
651e2c6fe6f3153c1696bdac3175b2ac80e16e9e6ad141cd40599880f090da638bfbb26c4f22cb8ba6e6624c23306a9abb4eb4c6b21c575592eaa8e0c015e04a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b3ncdzma\b3ncdzma.cmdline

Filesize
235B

MD5
84400c4b9f9dbbe90123af9339d1fd20

SHA1
c426c19ec1c18ac4e5150ef5ab78cff3ae9ecb28

SHA256
e8d88eab3acc08e999458258677341b58034ff52c8368fe3a13ba51fd693a2f9

SHA512
c0754bf6a6e3762a55d2b9cef57dc586ce677d178fb0a3bcb250b16caaa215a0416bb28c2c1bba59ca668042cd54407eded3d8153d01eedc5b3e4a2e334c5350

Download Submit
\??\c:\Windows\System32\CSC9EF36B13797445059F4C126711E9B68F.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/212-14-0x000000001B3E0000-0x000000001B3EC000-memory.dmp

Filesize
48KB

Download
memory/212-29-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-10-0x000000001B890000-0x000000001B8E0000-memory.dmp

Filesize
320KB

Download
memory/212-12-0x000000001B430000-0x000000001B448000-memory.dmp

Filesize
96KB

Download
memory/212-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

Filesize
8KB

Download
memory/212-16-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-21-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-7-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-28-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-9-0x000000001B400000-0x000000001B41C000-memory.dmp

Filesize
112KB

Download
memory/212-6-0x000000001B390000-0x000000001B39E000-memory.dmp

Filesize
56KB

Download
memory/212-4-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-37-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-3-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-2-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-48-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-1-0x0000000000700000-0x00000000008DA000-memory.dmp

Filesize
1.9MB

Download