dcrat | 524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

Analysis

max time kernel
126s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Size

2.7MB
MD5

0f9e8c0ca92989e50a62c5ea1e47eb74
SHA1

6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6
SHA256

524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611
SHA512

8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970
SSDEEP

49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2736	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2736	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2120-1-0x0000000001230000-0x00000000014E4000-memory.dmp	dcrat
behavioral1/files/0x0005000000018766-28.dat	dcrat
behavioral1/files/0x0006000000019cba-69.dat	dcrat
behavioral1/files/0x000e000000015d0e-127.dat	dcrat
behavioral1/files/0x0006000000019223-149.dat	dcrat
behavioral1/files/0x000b00000001926b-184.dat	dcrat
behavioral1/memory/2692-196-0x00000000001F0000-0x00000000004A4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2692	taskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Program Files\Windows NT\RCX2F1C.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Program Files\Windows NT\RCX2F1D.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\56085415360792	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\RCX262E.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\RCX262F.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Program Files\Windows NT\services.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Program Files\Windows NT\services.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Program Files\Windows NT\c5b4cb5e9653cc	0f9e8c0ca92989e50a62c5ea1e47eb74.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Panther\actionqueue\System.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Windows\Panther\actionqueue\27d1bcfc3c54e0	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Windows\Fonts\6cb0b6c459d5d3	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX3410.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Fonts\dwm.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File created	C:\Windows\Fonts\dwm.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX3411.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Panther\actionqueue\System.exe	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Fonts\RCX3819.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
File opened for modification	C:\Windows\Fonts\RCX3887.tmp	0f9e8c0ca92989e50a62c5ea1e47eb74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
2600	schtasks.exe
1952	schtasks.exe
3008	schtasks.exe
1020	schtasks.exe
2648	schtasks.exe
1088	schtasks.exe
3012	schtasks.exe
2864	schtasks.exe
1856	schtasks.exe
2176	schtasks.exe
1760	schtasks.exe
2376	schtasks.exe
2880	schtasks.exe
2156	schtasks.exe
2396	schtasks.exe
628	schtasks.exe
2868	schtasks.exe
1232	schtasks.exe
1804	schtasks.exe
2040	schtasks.exe
2272	schtasks.exe
1820	schtasks.exe
1728	schtasks.exe
1440	schtasks.exe
1940	schtasks.exe
2024	schtasks.exe
2656	schtasks.exe
2784	schtasks.exe
3048	schtasks.exe
448	schtasks.exe
1648	schtasks.exe
2700	schtasks.exe
1524	schtasks.exe
1496	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2120	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe
2692	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Token: SeDebugPrivilege	2692	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 880	2120	0f9e8c0ca92989e50a62c5ea1e47eb74.exe	68
PID 2120 wrote to memory of 880	2120	0f9e8c0ca92989e50a62c5ea1e47eb74.exe	68
PID 2120 wrote to memory of 880	2120	0f9e8c0ca92989e50a62c5ea1e47eb74.exe	68
PID 880 wrote to memory of 2852	880	cmd.exe	70
PID 880 wrote to memory of 2852	880	cmd.exe	70
PID 880 wrote to memory of 2852	880	cmd.exe	70
PID 880 wrote to memory of 2692	880	cmd.exe	71
PID 880 wrote to memory of 2692	880	cmd.exe	71
PID 880 wrote to memory of 2692	880	cmd.exe	71

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f9e8c0ca92989e50a62c5ea1e47eb74.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f9e8c0ca92989e50a62c5ea1e47eb74.exe
"C:\Users\Admin\AppData\Local\Temp\0f9e8c0ca92989e50a62c5ea1e47eb74.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o5a91V1Q21.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2852
- - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe
    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0f9e8c0ca92989e50a62c5ea1e47eb740" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0f9e8c0ca92989e50a62c5ea1e47eb74.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0f9e8c0ca92989e50a62c5ea1e47eb74" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0f9e8c0ca92989e50a62c5ea1e47eb74.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0f9e8c0ca92989e50a62c5ea1e47eb740" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0f9e8c0ca92989e50a62c5ea1e47eb74.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\actionqueue\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0f9e8c0ca92989e50a62c5ea1e47eb74.exe

Filesize
2.7MB

MD5
0f9e8c0ca92989e50a62c5ea1e47eb74

SHA1
6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6

SHA256
524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

SHA512
8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe

Filesize
2.7MB

MD5
228f590eb9c1ffe666e7939330466739

SHA1
58fb1a4ce9dfcd299bd289a6efd14ac3ea4e1dbf

SHA256
7c196e3edf83f3412a9cc014fbe82307679521d8833954def1e7e8e0c82154e4

SHA512
e094d34219afd5fba39d9c03f3b0eb85810c331f28d80cce9a9760961a376abe672543f219f9acf1a35ad902f8cff577c35db39dad3178234ec2db6108050dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5a91V1Q21.bat

Filesize
226B

MD5
d2f193e64e78e35c594bef0f450ce296

SHA1
142f29bea4ad9a8acc924c044d7c9c544f8fefbf

SHA256
976b8e45a16c24da8fa879e60adb157e50332e61a157f26c42e6c589f2d2146b

SHA512
0792831d0a30ffcee84a8d4e4317bf977ca2f2edce1310a0f99be2bc635772f86fe8f9a4e8c819daf0e711abf3b19ceef6f28796d78cfbed1a0f349f4adecfe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\services.exe

Filesize
2.7MB

MD5
c1445daf8fa1c25d5c36aad205a8928b

SHA1
473638377da428466fae8ab6a0fb1cd293557767

SHA256
67946792976ab5516a3b7ee7954021c2940c4cadef212dc49d7ec407155260bd

SHA512
be4bbc7bfaca7b409cbb4285d069900c6362d88aaf3a318f449b8329492a01b9d509bb7f257c3e5f8a44ddc6ed7aae1a27000469dea17819046dffef53776e07

Download Submit
C:\Users\Public\Pictures\Sample Pictures\services.exe

Filesize
2.7MB

MD5
101cc730536d07d10e6ae21d475dd0b1

SHA1
9ee742703ea1f9270703da782b4a4c37952b5aec

SHA256
8b4cf940c5cedc9a544fe73d503497865b1bad66e68effd6055ca466d9c295cd

SHA512
d9600e46962e49796a79d77e3b6c818c0cdab45914d90cfd10157ab9ef5e92ce6d8eb27c6396d3797e91f76324901a956c00b821d3b9c81eeb3478e0827df6b4

Download Submit
C:\Windows\Fonts\dwm.exe

Filesize
2.7MB

MD5
57bc65aa87102ac5c92b5bb5388ed552

SHA1
d3dae3db8ca24af0182ccec3b227bc0aa6c59e8b

SHA256
c6bb4f33b41b7f95abcd32513fea4160195bcc4c1ae31c58ff5446243066ba5e

SHA512
b94129daf2b3e91b388d9a92d332566bb364fd46321559852a4ec7f8fcb0cd1e203a142504d3758ba10951c18bdcad02bc4840137302164b8fe522e728dd6c89

Download Submit
memory/2120-7-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/2120-17-0x000000001AA00000-0x000000001AA0C000-memory.dmp

Filesize
48KB

Download
memory/2120-8-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2120-9-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/2120-10-0x00000000011B0000-0x0000000001206000-memory.dmp

Filesize
344KB

Download
memory/2120-11-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2120-12-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2120-13-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/2120-14-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

Filesize
32KB

Download
memory/2120-15-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

Filesize
48KB

Download
memory/2120-16-0x000000001A9F0000-0x000000001A9FE000-memory.dmp

Filesize
56KB

Download
memory/2120-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2120-18-0x000000001ADE0000-0x000000001ADEA000-memory.dmp

Filesize
40KB

Download
memory/2120-19-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

Filesize
48KB

Download
memory/2120-6-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2120-5-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/2120-4-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2120-3-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2120-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-1-0x0000000001230000-0x00000000014E4000-memory.dmp

Filesize
2.7MB

Download
memory/2120-193-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-196-0x00000000001F0000-0x00000000004A4000-memory.dmp

Filesize
2.7MB

Download