Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 08:24
Behavioral task
behavioral1
Sample
Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Crack.exe
Resource
win10v2004-20240508-en
General
-
Target
Crack.exe
-
Size
3.5MB
-
MD5
4bf2b73b872ff49fbffe6ff7a73f97a8
-
SHA1
6c4e33d77e9b7a85b140048f4711d52380d866fc
-
SHA256
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
-
SHA512
17821b08818ca4d81385a90f0c911f49bbcdb49d7793e26c53752c2a4f0281a435400a69dc9217b8c53d4209be8f9509cd775e42e1c2af5b1729f83f1a7f2695
-
SSDEEP
49152:/bA3Ds2r2n5E4UfeAn6ITBLXenQ36kxLGKlHbR7WKzjznJbRVL0x4FCE1zsbq0PI:/bW2nQt6x6l7WUXJ5FhNsW0w
Malware Config
Signatures
-
DcRat 16 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exefontreview.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2024 schtasks.exe 240 schtasks.exe 1576 schtasks.exe 1484 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontreview.exe 2824 schtasks.exe 2228 schtasks.exe 1988 schtasks.exe 1408 schtasks.exe 1244 schtasks.exe 2608 schtasks.exe 688 schtasks.exe 112 schtasks.exe 540 schtasks.exe 2732 schtasks.exe 1040 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
fontreview.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files\\Google\\dwm.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Windows\\ja-JP\\audiodg.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\"" fontreview.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2348 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2348 schtasks.exe -
Processes:
smss.exefontreview.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Media\fontreview.exe dcrat behavioral1/memory/2920-18-0x00000000001B0000-0x00000000004FA000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCX3C1B.tmp dcrat C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe dcrat behavioral1/memory/816-131-0x0000000001370000-0x00000000016BA000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
fontreview.exesmss.exepid process 2920 fontreview.exe 816 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2748 cmd.exe 2748 cmd.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
fontreview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\"" fontreview.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ja-JP\\audiodg.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" fontreview.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ja-JP\\audiodg.exe\"" fontreview.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\"" fontreview.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\wscript.exe\"" fontreview.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\smss.exe\"" fontreview.exe -
Processes:
fontreview.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Program Files directory 5 IoCs
Processes:
fontreview.exedescription ioc process File opened for modification C:\Program Files\Google\RCX40B0.tmp fontreview.exe File opened for modification C:\Program Files\Google\RCX40B1.tmp fontreview.exe File opened for modification C:\Program Files\Google\dwm.exe fontreview.exe File created C:\Program Files\Google\dwm.exe fontreview.exe File created C:\Program Files\Google\6cb0b6c459d5d3 fontreview.exe -
Drops file in Windows directory 5 IoCs
Processes:
fontreview.exedescription ioc process File created C:\Windows\ja-JP\audiodg.exe fontreview.exe File created C:\Windows\ja-JP\42af1c969fbb7b fontreview.exe File opened for modification C:\Windows\ja-JP\RCX4351.tmp fontreview.exe File opened for modification C:\Windows\ja-JP\RCX43BF.tmp fontreview.exe File opened for modification C:\Windows\ja-JP\audiodg.exe fontreview.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1244 schtasks.exe 2608 schtasks.exe 2228 schtasks.exe 240 schtasks.exe 112 schtasks.exe 540 schtasks.exe 1408 schtasks.exe 1576 schtasks.exe 2024 schtasks.exe 2824 schtasks.exe 1484 schtasks.exe 688 schtasks.exe 1988 schtasks.exe 2732 schtasks.exe 1040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fontreview.exesmss.exepid process 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 2920 fontreview.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe 816 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 816 smss.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fontreview.exesmss.exevssvc.exedescription pid process Token: SeDebugPrivilege 2920 fontreview.exe Token: SeDebugPrivilege 816 smss.exe Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Crack.exeWScript.execmd.exefontreview.execmd.exesmss.exedescription pid process target process PID 2932 wrote to memory of 2928 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2928 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2928 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2928 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2512 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2512 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2512 2932 Crack.exe WScript.exe PID 2932 wrote to memory of 2512 2932 Crack.exe WScript.exe PID 2928 wrote to memory of 2748 2928 WScript.exe cmd.exe PID 2928 wrote to memory of 2748 2928 WScript.exe cmd.exe PID 2928 wrote to memory of 2748 2928 WScript.exe cmd.exe PID 2928 wrote to memory of 2748 2928 WScript.exe cmd.exe PID 2748 wrote to memory of 2920 2748 cmd.exe fontreview.exe PID 2748 wrote to memory of 2920 2748 cmd.exe fontreview.exe PID 2748 wrote to memory of 2920 2748 cmd.exe fontreview.exe PID 2748 wrote to memory of 2920 2748 cmd.exe fontreview.exe PID 2920 wrote to memory of 1672 2920 fontreview.exe cmd.exe PID 2920 wrote to memory of 1672 2920 fontreview.exe cmd.exe PID 2920 wrote to memory of 1672 2920 fontreview.exe cmd.exe PID 1672 wrote to memory of 1940 1672 cmd.exe w32tm.exe PID 1672 wrote to memory of 1940 1672 cmd.exe w32tm.exe PID 1672 wrote to memory of 1940 1672 cmd.exe w32tm.exe PID 1672 wrote to memory of 816 1672 cmd.exe smss.exe PID 1672 wrote to memory of 816 1672 cmd.exe smss.exe PID 1672 wrote to memory of 816 1672 cmd.exe smss.exe PID 816 wrote to memory of 1712 816 smss.exe WScript.exe PID 816 wrote to memory of 1712 816 smss.exe WScript.exe PID 816 wrote to memory of 1712 816 smss.exe WScript.exe PID 816 wrote to memory of 1632 816 smss.exe WScript.exe PID 816 wrote to memory of 1632 816 smss.exe WScript.exe PID 816 wrote to memory of 1632 816 smss.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
smss.exefontreview.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Media\fontreview.exe"C:\Users\Admin\AppData\Roaming\Media\fontreview.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\490c7e70-82b4-4b66-9603-b39648369662.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d0b0c8-ac2a-41fc-9afe-59cba079a48c.vbs"7⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Media\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCX3C1B.tmpFilesize
3.3MB
MD5553b95b8cf4fc79cf8731c931dc80b5b
SHA13b61ea6d4d25355cd3b0bbf4f8db66aa335a73dd
SHA256e04e0c0b8d9adb45df5e4f016e961ed055feed1bed4c73060427a6687fc01c35
SHA51227d2d52d2cdd6eb4cf6480b9d5999368a14b159d82219777df34527bdeb428a15b1f62ae806e8a8bd2499aad6262a5a558a42ddc3bfd68532c5a9ae60ad6612e
-
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exeFilesize
3.3MB
MD52975bf45db25ea1f2afb84610e60ac3b
SHA10e08282f875d384de965e38957aff791b3cb7b25
SHA256d1c75efc8480954bc1b567bd9e04306d930448923c9c8ee1f210ba5e2d0c902c
SHA512270bad378c44dae68bfaefceebf851290c08183079bd0947e1ca0bea6bc07abb908f8f0ebde0e9f27d2036bc85e7982f56039d1e7cde9a88d837fb022976049e
-
C:\Users\Admin\AppData\Local\Temp\490c7e70-82b4-4b66-9603-b39648369662.vbsFilesize
746B
MD5670dd42efbe7197c0f152f811d8a0f23
SHA19a13835b4b19105d5c9663a0bc9ff0a43c51014d
SHA256f6e5223040106272582de4461ca9f0e57d8e325239c65d8c8cc762a398994690
SHA512c893c467fdc5d6660180a4366c842701d540f8babeecf5130ca137e318fda1b57ade9d1f6ddc4a96afe0c30ba2034f679f5469ce03461db4043abed14c88597c
-
C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.batFilesize
236B
MD5a455ca89f67b0e2d744dfc3592d3b5ff
SHA1575a7db035c9a56cd5cef5150c366cb99db188e0
SHA256023006c5dee281e91f77416db83e0b420a43cc5cb5b3a48d0ae0213f0d3da277
SHA512bc90906dac1e455bae226a2bab1e2a7c6e7d4523cc9b939e2e8a20da10f5bace344196142f1e8646f9b2e0f35ab5fc37b362fe5838ee1c94b5d260e8bf2bbe60
-
C:\Users\Admin\AppData\Local\Temp\a1d0b0c8-ac2a-41fc-9afe-59cba079a48c.vbsFilesize
523B
MD533249fc1f2aa39fd7d2b6c1735fb8264
SHA1f94b1d19f743dbe4b5a0b858e5467308a7dafab3
SHA2561321401794511f615a89b9e5c3a45b30a60ac2b99243a7d060f5151fff1cae0e
SHA512507f01395b9213e2af70476696fd60aa510a59cf8315f6b8fcc607a7c5df264b3ac3de7bc7f28cf63806d60d05236a0eb3a84b46f5f36fb47dd844b4e707bd49
-
C:\Users\Admin\AppData\Roaming\Media\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Roaming\Media\fontreview.exeFilesize
3.3MB
MD5ee603f48c1f35659899993e21fd33d8f
SHA186ee8bd079b178b31df3522c08a040aac575a6c6
SHA256f76ce5581a109be6e0d8358e0dc15a8dea066cb27256628a315e6edd94264b0c
SHA51202ea39ee7d7cd30a588846d3da89ed89b8a4f322b1a58db1753633fd20d9066d2921bfe5685322f79c76d6466190fd34b8555f14363ed2607f759d64c254b0d8
-
C:\Users\Admin\AppData\Roaming\Media\ptTa5jsNCfUXu0BBuzB.vbeFilesize
204B
MD5022c5590f72d752d578df8eb3f03d355
SHA19519d3ea40324448e06863b196dd23e7d4a12dac
SHA2568c2161c0de7a3e07e53766e6e267fe23f98c2cdeef31220eaa68be1bf48e0eb7
SHA512269369042c72fc985823e7938cd8635bf85f9c59e07a3065742321d7639c3a7865b807470ffb4efabb5573ecb1413463c0d270a6aa309786905286b6ad6db01a
-
C:\Users\Admin\AppData\Roaming\Media\r8iyEc3qvUngPTm4Ix.batFilesize
32B
MD5c1ba58455a6a3970b127d9a7e1314cf0
SHA19855d4f713ba963f0976df6d5e1616d471265b70
SHA256f1fc9c92abe5e1a915c0f3dfdbe9df00bc60a6163025574a33c1e48a8ae9eefb
SHA51256a782da20e4e5e4233a530e32f564e94dfd4cb0643b7a63d07d6f3f4ef51ae0cbf0cff21cc9472b5ff0774afc753151a3da40871d1559ccd340307dfc9edd0c
-
memory/816-133-0x00000000012E0000-0x00000000012F2000-memory.dmpFilesize
72KB
-
memory/816-132-0x000000001B060000-0x000000001B0B6000-memory.dmpFilesize
344KB
-
memory/816-131-0x0000000001370000-0x00000000016BA000-memory.dmpFilesize
3.3MB
-
memory/2920-33-0x000000001B280000-0x000000001B288000-memory.dmpFilesize
32KB
-
memory/2920-43-0x000000001B520000-0x000000001B52C000-memory.dmpFilesize
48KB
-
memory/2920-28-0x000000001B060000-0x000000001B068000-memory.dmpFilesize
32KB
-
memory/2920-29-0x000000001B070000-0x000000001B080000-memory.dmpFilesize
64KB
-
memory/2920-30-0x000000001B090000-0x000000001B09A000-memory.dmpFilesize
40KB
-
memory/2920-31-0x000000001B0A0000-0x000000001B0F6000-memory.dmpFilesize
344KB
-
memory/2920-32-0x000000001B270000-0x000000001B27C000-memory.dmpFilesize
48KB
-
memory/2920-36-0x000000001B2B0000-0x000000001B2C2000-memory.dmpFilesize
72KB
-
memory/2920-35-0x000000001B2A0000-0x000000001B2A8000-memory.dmpFilesize
32KB
-
memory/2920-34-0x000000001B290000-0x000000001B29C000-memory.dmpFilesize
48KB
-
memory/2920-26-0x000000001AE50000-0x000000001AE62000-memory.dmpFilesize
72KB
-
memory/2920-37-0x000000001B2C0000-0x000000001B2CC000-memory.dmpFilesize
48KB
-
memory/2920-38-0x000000001B350000-0x000000001B35C000-memory.dmpFilesize
48KB
-
memory/2920-39-0x000000001B360000-0x000000001B368000-memory.dmpFilesize
32KB
-
memory/2920-40-0x000000001B4F0000-0x000000001B4FC000-memory.dmpFilesize
48KB
-
memory/2920-41-0x000000001B500000-0x000000001B50C000-memory.dmpFilesize
48KB
-
memory/2920-42-0x000000001B510000-0x000000001B518000-memory.dmpFilesize
32KB
-
memory/2920-27-0x000000001B080000-0x000000001B08C000-memory.dmpFilesize
48KB
-
memory/2920-44-0x000000001B530000-0x000000001B53A000-memory.dmpFilesize
40KB
-
memory/2920-45-0x000000001B540000-0x000000001B54E000-memory.dmpFilesize
56KB
-
memory/2920-46-0x000000001B550000-0x000000001B558000-memory.dmpFilesize
32KB
-
memory/2920-48-0x000000001B570000-0x000000001B57C000-memory.dmpFilesize
48KB
-
memory/2920-47-0x000000001B560000-0x000000001B568000-memory.dmpFilesize
32KB
-
memory/2920-49-0x000000001B580000-0x000000001B588000-memory.dmpFilesize
32KB
-
memory/2920-50-0x000000001B590000-0x000000001B59A000-memory.dmpFilesize
40KB
-
memory/2920-51-0x000000001B6A0000-0x000000001B6AC000-memory.dmpFilesize
48KB
-
memory/2920-25-0x000000001AE40000-0x000000001AE48000-memory.dmpFilesize
32KB
-
memory/2920-24-0x000000001AD20000-0x000000001AD36000-memory.dmpFilesize
88KB
-
memory/2920-23-0x0000000002230000-0x0000000002240000-memory.dmpFilesize
64KB
-
memory/2920-22-0x0000000000880000-0x0000000000888000-memory.dmpFilesize
32KB
-
memory/2920-21-0x000000001AD00000-0x000000001AD1C000-memory.dmpFilesize
112KB
-
memory/2920-20-0x00000000007F0000-0x00000000007F8000-memory.dmpFilesize
32KB
-
memory/2920-19-0x00000000005A0000-0x00000000005AE000-memory.dmpFilesize
56KB
-
memory/2920-18-0x00000000001B0000-0x00000000004FA000-memory.dmpFilesize
3.3MB