Overview

overview

10

Static

static

10

71f56f5e75...b7.exe

windows7-x64

10

71f56f5e75...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71f56f5e75963138d685df0663d07c63aece8753580f45c6e6682ee02dbb38b7.exe

  • Size

    3.3MB

  • MD5

    51314ed425784c593487c9f42e5e967d

  • SHA1

    4d9380fa7096f723d1262a95a945b75767dc24da

  • SHA256

    71f56f5e75963138d685df0663d07c63aece8753580f45c6e6682ee02dbb38b7

  • SHA512

    c6657db440033c8185977a0e4118cb006b24733ebc05feb41788cbe0762f1c3ce00b0bd34bcc57b4fa6dac67584a4b47c7a679e21a59116b88accfe28bf7978a

  • SSDEEP

    49152:QwM0NUvaeipsEJpDidQ1fZVGsLaCE7tdTQDhqiZcqtN2Qys:QeNUVEHedQ1f7xadtdTOh+qP

Score
10/10
dcratevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat 53 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
    persistence
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 34 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\71f56f5e75963138d685df0663d07c63aece8753580f45c6e6682ee02dbb38b7.exe
    "C:\Users\Admin\AppData\Local\Temp\71f56f5e75963138d685df0663d07c63aece8753580f45c6e6682ee02dbb38b7.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1504
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wrxQvVqbHu.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4868
        • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
          "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2456
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0fc272-a3ed-41e2-a10e-2f42525caf4d.vbs"
            4⤵
              PID:2996
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c4aa0ca-bf5a-4c88-9b07-82d0a4b8fdae.vbs"
              4⤵
                PID:1052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2136
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5092
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\ClickToRun\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\ClickToRun\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\ClickToRun\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1376
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1564
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4960
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Links\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4396
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4260
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1916

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\WindowsRE\smss.exe
            Filesize

            3.3MB

            MD5

            51314ed425784c593487c9f42e5e967d

            SHA1

            4d9380fa7096f723d1262a95a945b75767dc24da

            SHA256

            71f56f5e75963138d685df0663d07c63aece8753580f45c6e6682ee02dbb38b7

            SHA512

            c6657db440033c8185977a0e4118cb006b24733ebc05feb41788cbe0762f1c3ce00b0bd34bcc57b4fa6dac67584a4b47c7a679e21a59116b88accfe28bf7978a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8c4aa0ca-bf5a-4c88-9b07-82d0a4b8fdae.vbs
            Filesize

            528B

            MD5

            5e78b3943e22139ef1ce1f3c49d935ab

            SHA1

            7ee7ef6e9840c0f9e56cfbcf43fb5f7ddae172ea

            SHA256

            1c6d1bb7addf9673c3d201acaa146036d24a04c6aa0ebbf1156ee18331838ad8

            SHA512

            01de5e2bac1bdaaa1727367a2526be868e90c824946b16e062922b266d67170e1ff806d395658e8be471099c7db1bff582cc873da8b2cdb10186151e16a7e6bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\cc0fc272-a3ed-41e2-a10e-2f42525caf4d.vbs
            Filesize

            752B

            MD5

            5d29d0e22dac6472569c24a3263fefb7

            SHA1

            2d3ddfbaca80942184ceca07b339034037acb528

            SHA256

            107b95b4f5912eb8f948d52304073bad33c366617a1773ab314c61746f091a3a

            SHA512

            d6d98733a7de5a77c7102dfe95f7fe4f88166a264d53ed2f6b31b4158ba07f36c87859fa34fb0639b7a76e613c4147c351d7ed5fb0cc64dc48d2e1ec5646af02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wrxQvVqbHu.bat
            Filesize

            241B

            MD5

            9398d34adbd2bb1e24d0524d3ed63eb8

            SHA1

            c06bc8867fc27ad3c25c3bee02956a1838632c18

            SHA256

            ab2c3332cec1bd9ed2d64156c050810ccf0a69a948feb8dab6578bf4cec4d332

            SHA512

            c0ebf3fc25944cfb9c3f684069885622b3aafd0eb84bbe873af874b3e69e9dc67fcec8d07a66d6836bb7eba8d95ee4e83e15c16544cac2245f99dc7a0ef00005

            Download Submit

          • memory/1504-22-0x000000001C5E0000-0x000000001CB08000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1504-11-0x000000001B8B0000-0x000000001B8C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1504-6-0x000000001B850000-0x000000001B8A0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1504-25-0x000000001C0D0000-0x000000001C0DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-7-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-26-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-10-0x000000001B720000-0x000000001B728000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-24-0x000000001C0C0000-0x000000001C0C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-12-0x000000001BFD0000-0x000000001BFDC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-13-0x000000001B730000-0x000000001B738000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-14-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1504-15-0x000000001BFE0000-0x000000001BFEA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1504-16-0x000000001BFF0000-0x000000001C046000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1504-17-0x000000001C040000-0x000000001C04C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-18-0x000000001C050000-0x000000001C058000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-19-0x000000001C060000-0x000000001C06C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-20-0x000000001C070000-0x000000001C078000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-21-0x000000001C080000-0x000000001C092000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1504-0-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1504-23-0x000000001C0B0000-0x000000001C0BC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-8-0x000000001B6F0000-0x000000001B700000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1504-5-0x000000001B6D0000-0x000000001B6EC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1504-9-0x000000001B700000-0x000000001B716000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1504-27-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-28-0x000000001C200000-0x000000001C20C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-29-0x000000001C210000-0x000000001C21A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1504-32-0x000000001C340000-0x000000001C34E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1504-31-0x000000001C330000-0x000000001C338000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-30-0x000000001C320000-0x000000001C32E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1504-33-0x000000001C350000-0x000000001C358000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-34-0x000000001C360000-0x000000001C36C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-35-0x000000001C370000-0x000000001C378000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-36-0x000000001C380000-0x000000001C38A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1504-37-0x000000001C390000-0x000000001C39C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1504-4-0x0000000002C80000-0x0000000002C88000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1504-3-0x0000000002C70000-0x0000000002C7E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1504-78-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1504-1-0x0000000000860000-0x0000000000BAE000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1504-2-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2456-82-0x000000001B890000-0x000000001B8A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2456-92-0x000000001E260000-0x000000001E422000-memory.dmp

            Filesize

            1.8MB

            Download