Overview

overview

10

Static

static

3

cc92c665e4...1e.exe

windows7-x64

10

cc92c665e4...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e.exe

  • Size

    3.8MB

  • MD5

    23de5c2c4de1af322b48d8fb54f52082

  • SHA1

    bace8711338a1c79605866759fadd2c7adbb2630

  • SHA256

    cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e

  • SHA512

    3c592202fda82055fb2ae73bd00dc7c8bbe075b85830469eb81f8605ff34ac62023c2c3c8669bd67bb9622a407a93a047a8d8995fbad324c443bf58422d09ae2

  • SSDEEP

    98304:jdkCCK3XXQO18VeWtC7ZoAxFoHzL2SUKaMDmI:jdkCCKnXt1l7ZzSUKawmI

Score
10/10
dcratdefense_evasiondiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 57 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e.exe
    "C:\Users\Admin\AppData\Local\Temp\cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e.exe"
    1⤵
    • DcRat
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
      2⤵
      • DcRat
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ChaincomponentWebCrt\TyN1beQAOk.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ChaincomponentWebCrt\MPvPPnEP8ql73Oq.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\ChaincomponentWebCrt\Componentmonitor.exe
            "C:\ChaincomponentWebCrt\Componentmonitor.exe"
            5⤵
            • DcRat
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1844
            • C:\ChaincomponentWebCrt\Componentmonitor.exe
              "C:\ChaincomponentWebCrt\Componentmonitor.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2364
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OUzXbIOWmP.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2064
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  8⤵
                    PID:2076
                  • C:\ChaincomponentWebCrt\Componentmonitor.exe
                    "C:\ChaincomponentWebCrt\Componentmonitor.exe"
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:716
                    • C:\ChaincomponentWebCrt\spoolsv.exe
                      "C:\ChaincomponentWebCrt\spoolsv.exe"
                      9⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious behavior: EnumeratesProcesses
                      • System policy modification
                      PID:1292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\audiodg.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1512
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:620
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ChaincomponentWebCrt\WmiPrvSE.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1616
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ChaincomponentWebCrt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2692
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\lsm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1660
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\ChaincomponentWebCrt\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\ChaincomponentWebCrt\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\ChaincomponentWebCrt\lsm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ChaincomponentWebCrt\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\ChaincomponentWebCrt\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1796

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ChaincomponentWebCrt\MPvPPnEP8ql73Oq.bat
      Filesize

      46B

      MD5

      12c9bbff6c5b9ccf2998ead53eb4a7a1

      SHA1

      2bfc95bf289ee50b43e4441a7b1addaa643d605c

      SHA256

      09fd9ed68963fa1404292b9fa84d51b57cd3bfffc73808dc20a1807947bd70f8

      SHA512

      c02d02a3d8f5cbf9b28047001dc130b63e63c67b97578d4c675a2c58615c7a7b803a8ce76218a2c10b7c5e5c6d541d0e2571566719c6ce27ca66a9b42cddaa93

      Download Submit

    • C:\ChaincomponentWebCrt\TyN1beQAOk.vbe
      Filesize

      212B

      MD5

      ddbf10d9165a769a6d20fcd2e118bd0d

      SHA1

      7b872ed9f4f48bdb2b2de5cc3406d39135e5ba82

      SHA256

      69a84572c197b52b3beb9ec67145c4c1d198936bcc5846a1439da09015790401

      SHA512

      9c5b2bb9e9abe544bd05ded6aa4c23732b0afee6f95853255a67dcbfa6cc228b850bb273576e0988e37db04c0a854e7b8be648d967a13e4fac705b7e20803e02

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB88D.tmp
      Filesize

      2.7MB

      MD5

      87006d66e8d6786aaa070a7095400645

      SHA1

      68a3e6d9d811caa515e18d62e355ac2903505afe

      SHA256

      cf8eebc2deace46b589143dee2f6ab6395304029fbe864093e6870949651e608

      SHA512

      f2c2e8c03b74e8cc1f2fe2938bab4f5cde23f0f7f8290bb509615085fb1f35baef8c3c47f726a8b22f5f44c6828bfce9ba7f64923715a8df28df999de702effd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Injector.exe
      Filesize

      3.0MB

      MD5

      cdc73a31577a496fc31045ab14c36068

      SHA1

      a3f346391fd71d9c38b750ef843d33c9a05385a9

      SHA256

      b5bc765bb2a46b9a737ea217cf2a12e50d0b56d27c42a78af873bb970b18fcd3

      SHA512

      9f7b901ecce8d46ab2b4afe0f901d7ce0a52f5d34642f0d21d91c0cc54709ab958c1445a6b58cb3328c87d104fd65bd4b09446456aefd0d9a875e5fe0ff6f687

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\OUzXbIOWmP.bat
      Filesize

      209B

      MD5

      3fc2027730748a6d5ba102a02cc839eb

      SHA1

      7eb0d549ca9b7f465bc1fbe7c2ca030b95078383

      SHA256

      33d8b507dbf285acb551e3eb556d736ff984d0f74faa8d0b322589fc49191ed0

      SHA512

      ed0aac0935246f60d483d901746bf1e9b92005537ff26cca3a2480307690b76e9574b910a28064cb3e5206022aadd1d5bf215796fb624e0b8e25c1f8bafcf24f

      Download Submit

    • C:\Windows\de-DE\audiodg.exe
      Filesize

      2.7MB

      MD5

      545dc548b12729d20dfb895b85fa81a3

      SHA1

      224b69a2efe456e35fa7b01f44919ae2dc1c0503

      SHA256

      1535a1ac19464cbbbca3557bf0c384766a64a2d7cdec7714ea25087416d467ca

      SHA512

      43455862d80af2cae68a056a3f2231911fb9cfd494beacbd72eb897fab41107ee45aff9364fee14baf7fd696d8af1e9449d43b7ff38e271e6de9aa2beccb9e1d

      Download Submit

    • \ChaincomponentWebCrt\Componentmonitor.exe
      Filesize

      2.7MB

      MD5

      15745dcd5fc0fcfea4f0f0b1eaf81ad6

      SHA1

      258fc8e175f596d59139f0588368f74c3ef65150

      SHA256

      015cc3f392cb4c3b3d705a3edef3ed94031e8cd6b2d4a80b4123ce60319f1ce1

      SHA512

      41651c352fb29ce7242929f6314eed8111fbcb5e12f5b7a7ca826c8e3a6a401844ab09b454b33ed40f429a50861623af22d28c940f90d12a7225c90fb4ead021

      Download Submit

    • memory/716-168-0x0000000000650000-0x0000000000662000-memory.dmp

      Filesize

      72KB

      Download

    • memory/716-167-0x0000000000670000-0x00000000006C6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1292-199-0x0000000001060000-0x0000000001314000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1292-200-0x0000000000CF0000-0x0000000000D46000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1844-45-0x00000000004C0000-0x00000000004CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1844-48-0x0000000000660000-0x0000000000672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1844-39-0x00000000001D0000-0x00000000001DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1844-40-0x00000000001E0000-0x00000000001FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1844-42-0x0000000000480000-0x0000000000490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1844-41-0x0000000000200000-0x0000000000208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1844-43-0x0000000000490000-0x00000000004A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1844-38-0x0000000001180000-0x0000000001434000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1844-44-0x00000000004B0000-0x00000000004B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1844-46-0x0000000000AA0000-0x0000000000AF6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1844-47-0x00000000004D0000-0x00000000004D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1844-55-0x0000000000C30000-0x0000000000C3C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1844-49-0x0000000000B50000-0x0000000000B58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1844-50-0x0000000000B60000-0x0000000000B68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1844-51-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1844-52-0x0000000000C00000-0x0000000000C0E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1844-54-0x0000000000C20000-0x0000000000C2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1844-53-0x0000000000C10000-0x0000000000C1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2364-132-0x0000000000D70000-0x0000000000D82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2828-15-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2828-14-0x000000001B330000-0x000000001B612000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2920-32-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2920-9-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2920-8-0x0000000000980000-0x0000000000B66000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2948-21-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2948-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-4-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2948-1-0x00000000003A0000-0x000000000076A000-memory.dmp

      Filesize

      3.8MB

      Download