dcrat | 3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88F34405800FD589303DD080CB702BF0.exe
Size

2.7MB
MD5

88f34405800fd589303dd080cb702bf0
SHA1

ff0464ed91e346e4a28c66e46b521916daacb839
SHA256

3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610
SHA512

430178b4579e748fb0581090d1a96e3acd234b4d4575a0914f9e083b64ede5351fe929413100b05fa298a4172305ec8cb79c82a53acd849365e165195d1c4765
SSDEEP

49152:kJloZITX1N8fHQxECPA8Wpd9MNZesZb6EIAZwgZILA:kJloSTX1yPQxv0tMNIC6K1Kk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2324	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2324	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2212-1-0x0000000000B00000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/files/0x00050000000193a2-28.dat	dcrat
behavioral1/memory/2232-54-0x00000000001F0000-0x00000000004B0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2232	services.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\DESIGNER\56085415360792	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\27d1bcfc3c54e0	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Common Files\OSPPSVC.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Common Files\1610b97d3ab4a7	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Sidebar\6cb0b6c459d5d3	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Sidebar\dwm.exe	88F34405800FD589303DD080CB702BF0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Idle.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Windows\AppCompat\Programs\6ccacd8608530f	88F34405800FD589303DD080CB702BF0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
1808	schtasks.exe
2580	schtasks.exe
2576	schtasks.exe
1268	schtasks.exe
2888	schtasks.exe
1708	schtasks.exe
1928	schtasks.exe
2960	schtasks.exe
672	schtasks.exe
1700	schtasks.exe
1492	schtasks.exe
2620	schtasks.exe
2668	schtasks.exe
1108	schtasks.exe
1776	schtasks.exe
2832	schtasks.exe
2728	schtasks.exe
2676	schtasks.exe
2336	schtasks.exe
3004	schtasks.exe
3000	schtasks.exe
2768	schtasks.exe
2780	schtasks.exe
1916	schtasks.exe
1756	schtasks.exe
1812	schtasks.exe
2860	schtasks.exe
2740	schtasks.exe
1308	schtasks.exe
1444	schtasks.exe
2472	schtasks.exe
1612	schtasks.exe
2808	schtasks.exe
2932	schtasks.exe
2120	schtasks.exe
1932	schtasks.exe
2060	schtasks.exe
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2212	88F34405800FD589303DD080CB702BF0.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe
2232	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	88F34405800FD589303DD080CB702BF0.exe
Token: SeDebugPrivilege	2232	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1972	2212	88F34405800FD589303DD080CB702BF0.exe	71
PID 2212 wrote to memory of 1972	2212	88F34405800FD589303DD080CB702BF0.exe	71
PID 2212 wrote to memory of 1972	2212	88F34405800FD589303DD080CB702BF0.exe	71
PID 1972 wrote to memory of 1060	1972	cmd.exe	73
PID 1972 wrote to memory of 1060	1972	cmd.exe	73
PID 1972 wrote to memory of 1060	1972	cmd.exe	73
PID 1972 wrote to memory of 2232	1972	cmd.exe	74
PID 1972 wrote to memory of 2232	1972	cmd.exe	74
PID 1972 wrote to memory of 2232	1972	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe
"C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SHmmKgOEjr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1060
- - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe
    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe

Filesize
2.7MB

MD5
88f34405800fd589303dd080cb702bf0

SHA1
ff0464ed91e346e4a28c66e46b521916daacb839

SHA256
3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610

SHA512
430178b4579e748fb0581090d1a96e3acd234b4d4575a0914f9e083b64ede5351fe929413100b05fa298a4172305ec8cb79c82a53acd849365e165195d1c4765

Download Submit
C:\Users\Admin\AppData\Local\Temp\SHmmKgOEjr.bat

Filesize
226B

MD5
983ca120a7121dcfba9c7da51b370b67

SHA1
d82b483a3b813ffe513d91dd522a4e9a917d4eba

SHA256
8027b14a540a670a608b13ee26cd0589305591e82ee78a4a5520442699aa44b8

SHA512
49cc97f3c73d0f0b7038ad855106bbeda731396b04aaf8640b11366c56bfa042676d2ed8a9c066082c2127dbf9240c75d77ab9e3f7a66cab4884759ea9997ac5

Download Submit
memory/2212-12-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/2212-18-0x0000000002220000-0x000000000222A000-memory.dmp

Filesize
40KB

Download
memory/2212-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2212-5-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2212-6-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2212-7-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2212-8-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2212-9-0x0000000000A90000-0x0000000000AE6000-memory.dmp

Filesize
344KB

Download
memory/2212-10-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2212-14-0x00000000021E0000-0x00000000021EC000-memory.dmp

Filesize
48KB

Download
memory/2212-4-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2212-13-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2212-11-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2212-15-0x00000000021F0000-0x00000000021FC000-memory.dmp

Filesize
48KB

Download
memory/2212-16-0x0000000002200000-0x000000000220E000-memory.dmp

Filesize
56KB

Download
memory/2212-17-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/2212-3-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2212-19-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/2212-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-1-0x0000000000B00000-0x0000000000DC0000-memory.dmp

Filesize
2.8MB

Download
memory/2212-51-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-54-0x00000000001F0000-0x00000000004B0000-memory.dmp

Filesize
2.8MB

Download
memory/2232-55-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download