dcrat | 94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe
Size

2.6MB
MD5

6f3b935175a44298f056598daefd8f4a
SHA1

df49fbdec3d0c697da73ca8d2925522114325e1f
SHA256

94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd
SHA512

ed1346f979b017ec6b04dc6bdb7645c06975c78a8ddcc2fb97b9447aae65eb102403b20279957336112d4c93e7163803086a9ce6d38370d24f9328c704059a2e
SSDEEP

49152:PbA3phxcymVOgnOPsopuCiTsAqKl4iLPuqaLiUDVgZ1jAMLhN:PbYcfVOZEqiTKKl42aLpgZ1jjj

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		348	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe
		1536	schtasks.exe
		1528	schtasks.exe
		2728	schtasks.exe
		1588	schtasks.exe
		1672	schtasks.exe
		2456	schtasks.exe
		3032	schtasks.exe
		2212	schtasks.exe
		984	schtasks.exe
		1552	schtasks.exe
		2772	schtasks.exe
		2856	schtasks.exe
		2928	schtasks.exe
		2276	schtasks.exe
		1640	schtasks.exe
		2020	schtasks.exe
		1572	schtasks.exe
		2256	schtasks.exe
		2596	schtasks.exe
		836	schtasks.exe
		1624	schtasks.exe
		300	schtasks.exe
		2084	schtasks.exe
		2420	schtasks.exe
		1908	schtasks.exe
		2132	schtasks.exe
		2992	schtasks.exe
		876	schtasks.exe
		2200	schtasks.exe
		1100	schtasks.exe
		896	schtasks.exe
		1240	schtasks.exe
		1144	schtasks.exe
		2328	schtasks.exe
		2096	schtasks.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991		Mscontainerprovider.exe
		1940	schtasks.exe
		2956	schtasks.exe
		1620	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1856	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1856	schtasks.exe	40

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019401-33.dat	dcrat
behavioral1/memory/2100-34-0x0000000000A20000-0x0000000000C72000-memory.dmp	dcrat
behavioral1/memory/2188-75-0x0000000001320000-0x0000000001572000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2100	Mscontainerprovider.exe
2188	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	cmd.exe
1752	cmd.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe	Mscontainerprovider.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b	Mscontainerprovider.exe
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	Mscontainerprovider.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	Mscontainerprovider.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	Mscontainerprovider.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe	Mscontainerprovider.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\088424020bedd6	Mscontainerprovider.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\101b941d020240	Mscontainerprovider.exe
File created	C:\Windows\Fonts\conhost.exe	Mscontainerprovider.exe
File created	C:\Windows\Fonts\088424020bedd6	Mscontainerprovider.exe
File created	C:\Windows\Downloaded Program Files\OSPPSVC.exe	Mscontainerprovider.exe
File created	C:\Windows\Downloaded Program Files\1610b97d3ab4a7	Mscontainerprovider.exe
File created	C:\Windows\L2Schemas\lsm.exe	Mscontainerprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe
1528	schtasks.exe
2200	schtasks.exe
2420	schtasks.exe
1672	schtasks.exe
1536	schtasks.exe
2596	schtasks.exe
2276	schtasks.exe
1640	schtasks.exe
836	schtasks.exe
348	schtasks.exe
1572	schtasks.exe
876	schtasks.exe
2084	schtasks.exe
2096	schtasks.exe
2728	schtasks.exe
1240	schtasks.exe
1588	schtasks.exe
2456	schtasks.exe
3032	schtasks.exe
2928	schtasks.exe
2856	schtasks.exe
1100	schtasks.exe
984	schtasks.exe
896	schtasks.exe
1552	schtasks.exe
2020	schtasks.exe
2256	schtasks.exe
1624	schtasks.exe
1940	schtasks.exe
1620	schtasks.exe
1908	schtasks.exe
2328	schtasks.exe
2212	schtasks.exe
2956	schtasks.exe
300	schtasks.exe
2772	schtasks.exe
1144	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	Mscontainerprovider.exe
2188	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	Mscontainerprovider.exe
Token: SeDebugPrivilege	2188	audiodg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2812	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	31
PID 2628 wrote to memory of 2812	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	31
PID 2628 wrote to memory of 2812	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	31
PID 2628 wrote to memory of 2812	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	31
PID 2628 wrote to memory of 2756	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	32
PID 2628 wrote to memory of 2756	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	32
PID 2628 wrote to memory of 2756	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	32
PID 2628 wrote to memory of 2756	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	32
PID 2628 wrote to memory of 2664	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	33
PID 2628 wrote to memory of 2664	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	33
PID 2628 wrote to memory of 2664	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	33
PID 2628 wrote to memory of 2664	2628	94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe	33
PID 2664 wrote to memory of 2528	2664	cmd.exe	35
PID 2664 wrote to memory of 2528	2664	cmd.exe	35
PID 2664 wrote to memory of 2528	2664	cmd.exe	35
PID 2664 wrote to memory of 2528	2664	cmd.exe	35
PID 2812 wrote to memory of 1752	2812	WScript.exe	37
PID 2812 wrote to memory of 1752	2812	WScript.exe	37
PID 2812 wrote to memory of 1752	2812	WScript.exe	37
PID 2812 wrote to memory of 1752	2812	WScript.exe	37
PID 1752 wrote to memory of 2100	1752	cmd.exe	39
PID 1752 wrote to memory of 2100	1752	cmd.exe	39
PID 1752 wrote to memory of 2100	1752	cmd.exe	39
PID 1752 wrote to memory of 2100	1752	cmd.exe	39
PID 2100 wrote to memory of 2188	2100	Mscontainerprovider.exe	80
PID 2100 wrote to memory of 2188	2100	Mscontainerprovider.exe	80
PID 2100 wrote to memory of 2188	2100	Mscontainerprovider.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe
"C:\Users\Admin\AppData\Local\Temp\94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercomwebsavesCommon\06TRX2vp5EEa5LRO2qIvamDAISMSY.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\HypercomwebsavesCommon\qBJRRaMx8bIHubO.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\HypercomwebsavesCommon\Mscontainerprovider.exe
      "C:\HypercomwebsavesCommon\Mscontainerprovider.exe"
      4⤵
      DcRat
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Public\Documents\audiodg.exe
        
        "C:\Users\Public\Documents\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypercomwebsavesCommon\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\HypercomwebsavesCommon\r2mekDnwHuGTXInEFmE.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MscontainerproviderM" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\Mscontainerprovider.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Mscontainerprovider" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\Mscontainerprovider.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MscontainerproviderM" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\Mscontainerprovider.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\HypercomwebsavesCommon\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\HypercomwebsavesCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\HypercomwebsavesCommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercomwebsavesCommon\06TRX2vp5EEa5LRO2qIvamDAISMSY.vbe

Filesize
214B

MD5
f1d16665ffd0f6c105eb6959fe8191e8

SHA1
306ffa126b9323b3cf6eec31d266510898ddd6b4

SHA256
5fa7ef03d5257c7deb9ea12f21f4ff5886dbd667d44b28aaffcf9ff070e9da32

SHA512
6ce173fe645e5a05a4c02da4b7b67c612867f234e6e0a14f20ef016d5bc2e0b7dc33766dffd98fc62f1fe357a8797486b9dbd198375cf801d4ec2231745cbadf

Download Submit
C:\HypercomwebsavesCommon\Mscontainerprovider.exe

Filesize
2.3MB

MD5
d53b913a47de930d631538231afc9f89

SHA1
565818c582c9e8a1ae576111086379c569b5a557

SHA256
dfd113a21fa8c15314f5873a2657d6fc698d6e7678f09ffe0755d81e01f422fd

SHA512
b1b983139fbe41dcf17171cbb1978d8627347ee532d1b71e33330da4da57f1d096f8f807d3285256b158da73e2c5398d84f803c473196f4efde503d9a9bbbe87

Download Submit
C:\HypercomwebsavesCommon\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\HypercomwebsavesCommon\qBJRRaMx8bIHubO.bat

Filesize
51B

MD5
e6f650718077366b66c45793bf847aba

SHA1
053549a3540eb20fed7b618f899313ec8b36f7f9

SHA256
e75e8150eef010f32b581e9bb62b3ff17eda9302452252954ccf0822bfa38a1b

SHA512
99c82b2eec28d6c4c91e73c2bf8af1a6ee81234a5f57a5d53644b2bd2c6869f6b0a076bf45a4517f97a58f0974891c4fa5a69d5de09759efb256aa5fa2861814

Download Submit
C:\HypercomwebsavesCommon\r2mekDnwHuGTXInEFmE.bat

Filesize
12B

MD5
cde09bcdf5fde1e2eac52c0f93362b79

SHA1
7a0fd90576e08807bde2cc57bcf9854bbce05fe3

SHA256
7592a3326e8f8297547f8c170b96b8aa8f5234027fd76593841a6574f098759c

SHA512
0c3dc6a9d88ac98ee08a6aac028a1cf72e6d736227d36904a9daec84b30c2fccfd57a41daa4d73384bb91339482e98e226578eb0d87c958c2bfd2353181b680b

Download Submit
memory/2100-35-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2100-34-0x0000000000A20000-0x0000000000C72000-memory.dmp

Filesize
2.3MB

Download
memory/2100-36-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2100-37-0x00000000009B0000-0x0000000000A06000-memory.dmp

Filesize
344KB

Download
memory/2100-38-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2100-39-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2100-40-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2100-41-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2188-75-0x0000000001320000-0x0000000001572000-memory.dmp

Filesize
2.3MB

Download
memory/2188-76-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download