Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
14-12-2024 10:09
General
-
Target
3aa1bbd17d68b0b67b7423f1fe09b05b.exe
-
Size
2.2MB
-
MD5
3aa1bbd17d68b0b67b7423f1fe09b05b
-
SHA1
61c43b8f31a51d772fd39d5caa87699d74971a43
-
SHA256
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
-
SHA512
7ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
SSDEEP
49152:mx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlH:QdPpDYbNiIP2cvxZH
Score
10/10
Malware Config
Signatures
-
DcRat 53 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 36 IoCs
-
DCRat payload 10 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 34 IoCs
-
Checks whether UAC is enabled 1 TTPs 24 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa1bbd17d68b0b67b7423f1fe09b05b.exe"C:\Users\Admin\AppData\Local\Temp\3aa1bbd17d68b0b67b7423f1fe09b05b.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mmxt5xtyiA.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2935826-d198-4b9c-ae53-1954ef532071.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e6eb65d-557f-4c0a-877c-4316b55dd360.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0e19599-10a5-4fe1-8d01-0262e9e5da7e.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd89d81-07a3-4798-8cb3-bd690b4494d9.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09d132c0-ac73-4383-9179-764121523063.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d79fcb89-3186-49f4-b730-6976c6156bba.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bc588f5-ccbe-4919-a874-3b1a72497e2d.vbs"16⤵
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90ed3cfe-7255-4bc4-a50d-59ec46cb62be.vbs"18⤵
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27f022a9-6f8a-4149-8056-70edff8b03ff.vbs"20⤵
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4728e91f-01e7-439b-81ee-2256aec6e9da.vbs"22⤵
-
C:\Program Files (x86)\Windows Defender\taskhost.exe"C:\Program Files (x86)\Windows Defender\taskhost.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16e54e8-8f84-4927-b4e4-cbe45c273894.vbs"24⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d39d6312-db4f-45ed-8ec4-3bdba644ea8b.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f250ed8b-760a-4385-9e8c-2a01fda617ce.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\534a245a-85a7-4038-87f1-1a348945a210.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48ac3c59-4bbf-45fd-aefc-c43b7f808940.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8fbb71-eea9-4409-8db2-5d8b6a66a59b.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8c997c9-8d62-4c13-9be8-8b22599b9e62.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5c08302-4f71-454d-a42c-1076901aefed.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac43a955-4acc-4648-8491-cf0435ddf912.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18baface-2920-4666-a282-460dfdea35b0.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf2151aa-c042-4109-85af-66f5a3166b0e.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36524dc7-f20c-4a6d-9bc9-5609982729ce.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3aa1bbd17d68b0b67b7423f1fe09b05b3" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\3aa1bbd17d68b0b67b7423f1fe09b05b.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3aa1bbd17d68b0b67b7423f1fe09b05b" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\3aa1bbd17d68b0b67b7423f1fe09b05b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3aa1bbd17d68b0b67b7423f1fe09b05b3" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\3aa1bbd17d68b0b67b7423f1fe09b05b.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\tracing\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728B
MD5f4d29059b33a51e65dd7b5a6c5ce3724
SHA108eba776ac4bd98f3543e5ec3a0d49607d849c90
SHA256d0b5feee0d67fc45f8f2c8bedc55fec7ec5957e497200b38d4f972449732ba15
SHA5129d1a14d25b4d901aadcec86e3576e204d1777a8501d500678f3f36eaa02524d315957c3cfb10d2c8889611b6d145a324383ae9a95b8124cf33e47c0149ae643e
-
Filesize
728B
MD5d8f3c2421bf8a293528c1fdd0bc3e5e2
SHA177ab0d543521f2aad13a82df3811b0f761a7067e
SHA256629e4b4463bb839b1fe607570c0696f88e85ed5069b95835d1997eac9f9d37f8
SHA5125f3adaa812782ddac79afd19506eed21a8af4dc692fd4a643a689e3c2048b0d7bcb8a019e9777a67acd3c5383f7849453503d887764e438b6e66b4fab5f822ea
-
Filesize
728B
MD5c59db6ef856549bd9204c05851480327
SHA1a086d5cdf82e6eb657b6511fd67d4976f52f88fc
SHA2562c3dbef5122271d8670642273b030b488327431410b1db97c221504d20f3b743
SHA512c40637b1652357cb12570dd9200d13d6e58bd3f5948956d4504026092dde7378e9f30f4a2f0ee5f0ae976a904296f2897053efd830810b7887388053694b0aa9
-
Filesize
504B
MD54ffb63dcd035160e8351a48b94aeef0d
SHA19912bf309ff0bebfcefa7db70417f5f3f84d20f9
SHA2567cbb91fd56a68623a0ac14a132f35f7dd0236db60c34fdd482e9e4665e8940aa
SHA5123ef776dacad7be095c75c9344b68d4e13004421df705ec484fcd6834c2b5310226c7146de44eb32064714c36b955ec695f3303d80f86db81c002e2cb86e27089
-
Filesize
728B
MD5c3ac733302d0c5f7f5b9a1e902de0145
SHA1859bcc33785f4131e235964c4a699d464debf7ba
SHA256390521fcf308108596cafe642d258e313966159a5c2fc6bbaf755b63cd55a43d
SHA5122a07cccb9cb8d73cf28d211754055ebedf5aff5ad3ff4c33e1cd80a93c55fab8806d42b1678252353f819572fcc695c54c624b37f9d53b3a0c4f4c25d21804f0
-
Filesize
728B
MD5e2a825ad047f6eb7ece1e84d333368b9
SHA115c175eb529af41ebcd73d3fcaf31c7fd610fb03
SHA256a1b41d28708cecdc0f863bc0c11d64a0bc70608163a82f928b839153a4fc693c
SHA512559c22c8c695fb0be545db1ad48e6b17a9eb5437b461e271dafdcfca558e1549b50f8bd4e3999ead16e9270eb27b11fc01f676a0a41474ecbf0218b654376999
-
Filesize
728B
MD5005c27aa2688e4d653dcb2ec1ea214b2
SHA164edcc6fe9795c0d6158eda595280979503c1f6d
SHA2562ec2a901ad0bc26bc8b063d90c5d79f81707c8af1c091867b049f0009d0884c2
SHA512bde5ee58319a2b9670fc7b581d42fe12f741bc3a1f9f203b39a01e10e293c137b40fd53274bdab8fa08e75c32b3d95d9d96978fcb865c46dffa5f72bda7c6e36
-
Filesize
727B
MD5e8a6a3b79460b43a618c0f06887909d6
SHA1b3a0a8e54e8f0b61d3eaeba56b5318b4e1694601
SHA25676797f838e72f20dd4a23170a7141bbdd79de467bc57e22a0555f3c551028379
SHA5120ad5e20a1b3adbaa59bbb093bbb16766e49b3127f435a3e0d4a555c7327ac5638dee177fc7e06a5cf4001996a0d9a04ff464eb9e5fd3596091624df25071254a
-
Filesize
727B
MD58924a08b492cc51c6623a4d35b0c6ee7
SHA1254685862994c8eecbb24cb7a20d626b3a9417b4
SHA256c04a49b0ddc380a75eef909c9768dd5bd4cd745c57729a176a524a73db966d3e
SHA51220182876eaedab79ceedcd8c6ca78edee43b36919252ba385af5eef947455862694e9f5a900859c20dce7a63fe73749220899465da4d7a1b452ca89d28d14904
-
Filesize
728B
MD5db39ebfbd87a2133c57f340866638d89
SHA18dce588bb3610602ec52b61b46d23108420d4f30
SHA256351c30410c4ec4774a03cb17f8f9cfdf235d7ae54da555fcb11293342fcf272c
SHA5129814da5c2ce4c1c6f0682c4aa2ad6e3c8a05a642924d29a2d299d41cf3daf6d25f8fd05ff3449497bfaf0ef29ff69f89502fdd68fe7139843735bea6a4cea3b8
-
Filesize
2.2MB
MD5ec080483e3442a3020d5f32ac9bec1ea
SHA11cb60857d98c97503bb77a2b19f5e25a7386dc4e
SHA2566702f73bc70fdce040e8e723453c823ce8729cbc599d4f9e86fb08976347bdd2
SHA512ac1de48f601ab795fe00fa8d22392d6372c1c554c5cb3c56b87bee639b22f25ab3beb284d458433ff0c7ca33de0c4cb0d24718024696b7bf55123a7b532321f8
-
Filesize
728B
MD50dd810d859abedeee138a65e0f76e5f0
SHA1138477398e2b51be50145d95dbab2c5e8f81e20a
SHA256e251600aa20309191f10121c9cb8d01d185ab408b0d2e0b6f5f90041ff55129d
SHA512e9b320fc2e35c358ee3c50bbdf461ac6a625ddb21dc27d5bec051bc9552a48e99b72bf5f580a402c3973d511b6ef79f6b26e70ab5cef738d5b2dfb6d5d68c60d
-
Filesize
217B
MD5fa2596f383ca6460b37c4d9275db72a3
SHA1707202daa887acd1783f9347f42b97fc21324884
SHA2564eec70f51cbd830a2181b4589b2473822f73c35794dbc46b6b83b701684aa0bf
SHA512d7f0b804083dc21aa9b562f15b1eb9f0cbe42f54fae27b13511aef9076d9401147bf2e53296ecc0edf82b9a83d6f1d5bef6a2154c15970af28b460a6b590c0d4
-
Filesize
2.2MB
MD53aa1bbd17d68b0b67b7423f1fe09b05b
SHA161c43b8f31a51d772fd39d5caa87699d74971a43
SHA2567362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA5127ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
2.2MB