Overview

overview

10

Static

static

10

37afdc0779...72.exe

windows7-x64

10

37afdc0779...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe

  • Size

    2.6MB

  • MD5

    97a026b442f5d5739ea3d8565f3a044d

  • SHA1

    dd409fa09eede943173f5aed10542f378062dcb1

  • SHA256

    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

  • SHA512

    007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

  • SSDEEP

    49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk

Score
10/10
dcratevasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 47 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
    persistence
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 15 IoCs
    evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 30 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    evasiontrojan
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 15 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe
    "C:\Users\Admin\AppData\Local\Temp\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6DvQ60mTAK.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2668
        • C:\Windows\Panther\services.exe
          "C:\Windows\Panther\services.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2880
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04da398a-e1bf-4d41-a0e5-a84be4628016.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Windows\Panther\services.exe
              C:\Windows\Panther\services.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2492
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4b59bde-cc09-48e3-a824-a3978e1e2e21.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2228
                • C:\Windows\Panther\services.exe
                  C:\Windows\Panther\services.exe
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2064
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f2db13-963a-40ee-994d-e94daf7f14ab.vbs"
                    8⤵
                      PID:2240
                      • C:\Windows\Panther\services.exe
                        C:\Windows\Panther\services.exe
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2852
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a924f7b7-ce8a-4e0f-9a60-50bc6ceae8ad.vbs"
                          10⤵
                            PID:2552
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e9cbf0-787e-42f6-a5a7-97d635a3a33d.vbs"
                            10⤵
                              PID:1576
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\084e25d5-8089-45b4-a498-bd559a6ea44d.vbs"
                          8⤵
                            PID:2420
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62858764-7766-48bd-b729-bb9c17783638.vbs"
                        6⤵
                          PID:2484
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c078207-641e-41fc-aacb-ecb9e741b223.vbs"
                      4⤵
                        PID:1384
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2780
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2752
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\sppsvc.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2760
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3028
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2764
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsass.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2040
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1932
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2700
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2684
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:684
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1588
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\services.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1492
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\services.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3060
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\services.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2912
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\winlogon.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2996
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3000
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3020
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3024
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1156
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1996
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1340
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2284
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2588
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2256
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2388
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1748
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1920
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1776
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\UGatherer\csrss.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1020
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\UGatherer\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1148
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGatherer\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2552
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1052
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1620
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1212
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:844
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:624
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1712
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\en-US\lsass.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1720
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1780
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\en-US\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1656
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b723" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1272
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72" /sc ONLOGON /tr "'C:\Users\Default User\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1652
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b723" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2184

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Registry

                4
                T1112

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\04da398a-e1bf-4d41-a0e5-a84be4628016.vbs
                  Filesize

                  707B

                  MD5

                  2b6c046efd7d4591d84faa29471acf72

                  SHA1

                  08de11540bd8721ebf2d14d69dc2ee8b398cf6dc

                  SHA256

                  6698dfcd1643f55eb6a06451b86445445187025de148dc32d2179cc91b3930ff

                  SHA512

                  466278978a40965c6ef7f0212800688eb7c7bc2010346466ccf29ab3b74faa6bfe191d3ffd2f2816308f0e73ef9234c86829a2f670033b6f086ad0d6c3ca93d8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\0c078207-641e-41fc-aacb-ecb9e741b223.vbs
                  Filesize

                  483B

                  MD5

                  95a66eff739cf84ee49929c2642a5c7e

                  SHA1

                  7fb1b4f4e7ef2e675e68fa5dbe063ad652a4a0ac

                  SHA256

                  05be3b8015ede75cc8542c0f38d2ddaaed24fe529848576a62835ac2e62513f9

                  SHA512

                  0fb7a43d2e39f2bd20846e6217989ea75f6727427d1851fc0dcfa36dbc3d010360f1c2f29abbedfa3d550ad4fc7458c49cb8e07444062fdd9feb394901985d05

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\6DvQ60mTAK.bat
                  Filesize

                  196B

                  MD5

                  ffb8f7ce1e8225830afa2c335b2620ba

                  SHA1

                  838d9dfa2e0715d193badc52102804823fd635b5

                  SHA256

                  b860fc601409810cc634fe6f09cff10e2ee7e7e4963c6d49c9d44f9ab2fb825b

                  SHA512

                  80804c2d7562e72d037e971a077e39360994695ab083fa5d03800500c27588075dcf76ee07c84ed666f9d4f7e51312d404ef3d7794dbcefc69abd07ed82426a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\91f2db13-963a-40ee-994d-e94daf7f14ab.vbs
                  Filesize

                  707B

                  MD5

                  b6c2e9dfc8b4c15d551151e038355fb4

                  SHA1

                  4f9aab378fce679dacb29507c9da38ba52592803

                  SHA256

                  b9a75187b423cf74f3e49e4677cf57ae2eb2e9fd9f5bfb49e5c053a19d7080e8

                  SHA512

                  1c74ae3048aa7fb877c6126cb198e0cd667b7433e09101a7ae3622232bc38297c9aa8da044f441d0fff48620e4eb512ce14c7a552c0f14cac10ddfed5f7d9224

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\a924f7b7-ce8a-4e0f-9a60-50bc6ceae8ad.vbs
                  Filesize

                  707B

                  MD5

                  d64e78fc132728e4ba74557ce90780a1

                  SHA1

                  c9d24b507b0f42b418a428c3a63f38271e5e2247

                  SHA256

                  9193ae2caf1b1e36198fa40453a96affda267500918ea7fcd4b646d637e17dea

                  SHA512

                  73d7dfe28efe4c2ad6055a1ece221b71dfb5138fb191e1d377ba427077f7856b683665a773d0fe4c7218a76c62f112be85fa7fa92e5ed157fc1f102b839e3f35

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\c4b59bde-cc09-48e3-a824-a3978e1e2e21.vbs
                  Filesize

                  707B

                  MD5

                  8b7ca520e518f5a696ce6b78e302eff9

                  SHA1

                  3be75e4c3b7cca53122cb2962620eab3e5add5d1

                  SHA256

                  af147fc42966b1c4158cbc7bda60517bf94c8dbadf62a985dbf57d337d8227b0

                  SHA512

                  7f4ac8c780947fcb334fc4d4c171a2ae01af56c2ac7799fba85a62121d946961c3a76016cbe0bf80da12d163869c3c299872efd1bc0722a26825a989516d62d1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  e041d73bca31f41dfe21ec00cdfa40e8

                  SHA1

                  911e91ab519f53255a0f3b7550d004d535cfc81f

                  SHA256

                  d9273441b3b10270404e6c6d382b4141fa5a04547fdb8c69928b3d3d5e16a964

                  SHA512

                  d15ef8ff3cc4f7318305370a4eda44767bdf0b1fb373d2724bb1b7f55dc056e8b483905324cec7bca42a9aa845aa522ca610dae0eebac0d01447abe8e38e7b9b

                  Download Submit

                • C:\Windows\Panther\services.exe
                  Filesize

                  2.6MB

                  MD5

                  97a026b442f5d5739ea3d8565f3a044d

                  SHA1

                  dd409fa09eede943173f5aed10542f378062dcb1

                  SHA256

                  37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

                  SHA512

                  007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

                  Download Submit

                • memory/1948-6-0x0000000000300000-0x0000000000316000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1948-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1948-10-0x0000000000560000-0x0000000000568000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1948-11-0x00000000006B0000-0x0000000000706000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/1948-12-0x0000000000680000-0x0000000000688000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1948-13-0x0000000000690000-0x000000000069A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1948-14-0x0000000000700000-0x000000000070E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1948-15-0x0000000000710000-0x0000000000718000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1948-16-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1948-17-0x0000000000D00000-0x0000000000D0C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1948-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1948-7-0x0000000000320000-0x000000000032A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1948-1-0x0000000000DA0000-0x0000000001038000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/1948-9-0x0000000000550000-0x000000000055C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1948-5-0x0000000000150000-0x0000000000158000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1948-70-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1948-3-0x0000000000140000-0x000000000014E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1948-4-0x00000000002E0000-0x00000000002FC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/1948-8-0x0000000000330000-0x0000000000342000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2064-139-0x0000000000BE0000-0x0000000000E78000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/2064-140-0x00000000009F0000-0x0000000000A02000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2100-104-0x0000000002240000-0x0000000002248000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2100-85-0x000000001B610000-0x000000001B8F2000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2492-126-0x00000000003C0000-0x0000000000658000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/2492-127-0x00000000003B0000-0x00000000003C2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2852-152-0x00000000000D0000-0x0000000000368000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/2880-115-0x00000000004C0000-0x00000000004D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2880-114-0x00000000013A0000-0x0000000001638000-memory.dmp

                  Filesize

                  2.6MB

                  Download