dcrat | 05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca

General

Target

54172888b473f2515b13fe1e2032a112.exe
Size

1.2MB
MD5

54172888b473f2515b13fe1e2032a112
SHA1

fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
SHA256

05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
SHA512

d09ce140712a46f3f94eaaf0c567ca30ce6de8b81ed8b45961cf6f4211225b43e6944dba769c212e11f836cf579932883a28d798353af9d6bd71c40e8a8f90a5

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	176	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4436	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	4436	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\comproviderRuntimecommon\chainsavesref.exe	dcrat
C:\comproviderRuntimecommon\chainsavesref.exe	dcrat
behavioral2/memory/2252-137-0x0000000000860000-0x0000000000936000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	dcrat
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

chainsavesref.execsrss.exe

pid process

2252 chainsavesref.exe
1892 csrss.exe

pid	process
2252	chainsavesref.exe
1892	csrss.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exechainsavesref.exe54172888b473f2515b13fe1e2032a112.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	chainsavesref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	54172888b473f2515b13fe1e2032a112.exe

Drops file in Program Files directory 10 IoCs

Processes:

chainsavesref.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\Offline\38384e6a620884	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	chainsavesref.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe	chainsavesref.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ea1d8f6d871115	chainsavesref.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	chainsavesref.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94	chainsavesref.exe
File created	C:\Program Files (x86)\Google\Update\Offline\SearchApp.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU39.tmp\dllhost.exe	chainsavesref.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU39.tmp\5940a34987c991	chainsavesref.exe

Drops file in Windows directory 2 IoCs

Processes:

chainsavesref.exe

description ioc process

File created C:\Windows\PLA\chainsavesref.exe chainsavesref.exe
File created C:\Windows\PLA\0d92ca00b4a11c chainsavesref.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\PLA\chainsavesref.exe	chainsavesref.exe
File created	C:\Windows\PLA\0d92ca00b4a11c	chainsavesref.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1496	schtasks.exe
2156	schtasks.exe
4644	schtasks.exe
1852	schtasks.exe
3920	schtasks.exe
4820	schtasks.exe
3200	schtasks.exe
1988	schtasks.exe
4956	schtasks.exe
848	schtasks.exe
856	schtasks.exe
4120	schtasks.exe
3608	schtasks.exe
4360	schtasks.exe
4420	schtasks.exe
4296	schtasks.exe
3148	schtasks.exe
4864	schtasks.exe
1048	schtasks.exe
4144	schtasks.exe
176	schtasks.exe
4632	schtasks.exe
3668	schtasks.exe
4796	schtasks.exe
2732	schtasks.exe
5016	schtasks.exe
1692	schtasks.exe
224	schtasks.exe
4752	schtasks.exe
4872	schtasks.exe
2772	schtasks.exe
2164	schtasks.exe
3736	schtasks.exe
3524	schtasks.exe
428	schtasks.exe
2588	schtasks.exe
912	schtasks.exe
432	schtasks.exe
4272	schtasks.exe
1120	schtasks.exe
4500	schtasks.exe
4916	schtasks.exe
1596	schtasks.exe
3204	schtasks.exe
1540	schtasks.exe

Modifies registry class 1 IoCs

Processes:

54172888b473f2515b13fe1e2032a112.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	54172888b473f2515b13fe1e2032a112.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chainsavesref.execsrss.exe

pid process

2252 chainsavesref.exe
2252 chainsavesref.exe
2252 chainsavesref.exe
2252 chainsavesref.exe
2252 chainsavesref.exe
1892 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

chainsavesref.execsrss.exe

description pid process

Token: SeDebugPrivilege 2252 chainsavesref.exe
Token: SeDebugPrivilege 1892 csrss.exe

pid	process
2252	chainsavesref.exe
2252	chainsavesref.exe
2252	chainsavesref.exe
2252	chainsavesref.exe
2252	chainsavesref.exe
1892	csrss.exe

description	pid	process
Token: SeDebugPrivilege	2252	chainsavesref.exe
Token: SeDebugPrivilege	1892	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

54172888b473f2515b13fe1e2032a112.exeWScript.execmd.exechainsavesref.exe

description	pid	process	target process
PID 2480 wrote to memory of 3124	2480	54172888b473f2515b13fe1e2032a112.exe	WScript.exe
PID 2480 wrote to memory of 3124	2480	54172888b473f2515b13fe1e2032a112.exe	WScript.exe
PID 2480 wrote to memory of 3124	2480	54172888b473f2515b13fe1e2032a112.exe	WScript.exe
PID 3124 wrote to memory of 4516	3124	WScript.exe	cmd.exe
PID 3124 wrote to memory of 4516	3124	WScript.exe	cmd.exe
PID 3124 wrote to memory of 4516	3124	WScript.exe	cmd.exe
PID 4516 wrote to memory of 2252	4516	cmd.exe	chainsavesref.exe
PID 4516 wrote to memory of 2252	4516	cmd.exe	chainsavesref.exe
PID 2252 wrote to memory of 1892	2252	chainsavesref.exe	csrss.exe
PID 2252 wrote to memory of 1892	2252	chainsavesref.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\54172888b473f2515b13fe1e2032a112.exe
"C:\Users\Admin\AppData\Local\Temp\54172888b473f2515b13fe1e2032a112.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\comproviderRuntimecommon\chainsavesref.exe
"C:\comproviderRuntimecommon\chainsavesref.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Offline\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\comproviderRuntimecommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\comproviderRuntimecommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\comproviderRuntimecommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainsavesrefc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\chainsavesref.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainsavesref" /sc ONLOGON /tr "'C:\Windows\PLA\chainsavesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainsavesrefc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\chainsavesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\EU39.tmp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\EU39.tmp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\EU39.tmp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
Filesize
828KB

MD5
4eaf964b744bd6801b5122ae1afbbde4

SHA1
6e459fb6f3c6b7094d8d5af10bc30c87aee03981

SHA256
b570e2028088759d02ea13f7646bf7aca78865d55f7fd8e2efaeec45c670e9ff

SHA512
dc3e15ab58996c71e8999dd5521961f2bd08529f685465bca5b11319ef0b4dc009f2528097adce0dca44fc675ba04156f9846f986f07a3e8ced366d5abbd2d4a

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
Filesize
828KB

MD5
4eaf964b744bd6801b5122ae1afbbde4

SHA1
6e459fb6f3c6b7094d8d5af10bc30c87aee03981

SHA256
b570e2028088759d02ea13f7646bf7aca78865d55f7fd8e2efaeec45c670e9ff

SHA512
dc3e15ab58996c71e8999dd5521961f2bd08529f685465bca5b11319ef0b4dc009f2528097adce0dca44fc675ba04156f9846f986f07a3e8ced366d5abbd2d4a

Download Submit
C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat
Filesize
47B

MD5
665bda14c5e0f28a4fcaab8726dc6ebe

SHA1
16deb93757751e2d66e05c2c22505db113fa96ba

SHA256
09c3e02a4caad39e7c91f0ba1cc93c8c727d23b306da9129cca1d0955880c33e

SHA512
51e85507a8c515fb3fe854a5d969c83d4c6add05284a11232b773eebd19ba2b148b01ce116d65d6bf7cdfc13064abff8f0e69825630446e00b7846eb16ed8cb5

Download Submit
C:\comproviderRuntimecommon\chainsavesref.exe
Filesize
828KB

MD5
4eaf964b744bd6801b5122ae1afbbde4

SHA1
6e459fb6f3c6b7094d8d5af10bc30c87aee03981

SHA256
b570e2028088759d02ea13f7646bf7aca78865d55f7fd8e2efaeec45c670e9ff

SHA512
dc3e15ab58996c71e8999dd5521961f2bd08529f685465bca5b11319ef0b4dc009f2528097adce0dca44fc675ba04156f9846f986f07a3e8ced366d5abbd2d4a

Download Submit
C:\comproviderRuntimecommon\chainsavesref.exe
Filesize
828KB

MD5
4eaf964b744bd6801b5122ae1afbbde4

SHA1
6e459fb6f3c6b7094d8d5af10bc30c87aee03981

SHA256
b570e2028088759d02ea13f7646bf7aca78865d55f7fd8e2efaeec45c670e9ff

SHA512
dc3e15ab58996c71e8999dd5521961f2bd08529f685465bca5b11319ef0b4dc009f2528097adce0dca44fc675ba04156f9846f986f07a3e8ced366d5abbd2d4a

Download Submit
C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe
Filesize
221B

MD5
57f4cbf8c281acde2c48327dfb2b3c45

SHA1
f752ff26e32bed28f91712e5322d438adae0d6f4

SHA256
0864baa556adddc451e8ad0acbdfbaf692a7371a5cbb8ef2b2b83aa05c56fb39

SHA512
cf9ef8920df9e3bd5cb9f907616c48bf0267df974987774495f84d49999e54a626f96b8221dda23abbed5e753c1f53725ffe896a43b0cba41ee0eacdc1f6bddb

Download Submit
memory/1892-139-0x0000000000000000-mapping.dmp

Download
memory/1892-143-0x00007FFB653B0000-0x00007FFB65E71000-memory.dmp

Filesize
10.8MB

Download
memory/1892-144-0x00007FFB653B0000-0x00007FFB65E71000-memory.dmp

Filesize
10.8MB

Download
memory/2252-137-0x0000000000860000-0x0000000000936000-memory.dmp

Filesize
856KB

Download
memory/2252-138-0x00007FFB653B0000-0x00007FFB65E71000-memory.dmp

Filesize
10.8MB

Download
memory/2252-134-0x0000000000000000-mapping.dmp

Download
memory/2252-142-0x00007FFB653B0000-0x00007FFB65E71000-memory.dmp

Filesize
10.8MB

Download
memory/3124-130-0x0000000000000000-mapping.dmp

Download
memory/4516-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads