dcrat | f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

Analysis

max time kernel
63s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-09-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Size

1.5MB
MD5

152fc3939962d6e1e572f00b33daf7b6
SHA1

25a7bebb0bdce7657fc563949befbf52021b5ea0
SHA256

f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743
SHA512

ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2
SSDEEP

24576:0crm83KQ6jF2oZkbkXu8MEG7GuR8jZBipt62ob1BKzickKhnakY:3XaJA86h7GuRIBat0BKvhX

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat 54 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1248	schtasks.exe
		2180	schtasks.exe
		2224	schtasks.exe
		1728	schtasks.exe
		1584	schtasks.exe
		560	schtasks.exe
		960	schtasks.exe
		1836	schtasks.exe
		2064	schtasks.exe
		1936	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\27d1bcfc3c54e0		F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
		1844	schtasks.exe
		2388	schtasks.exe
		2500	schtasks.exe
		912	schtasks.exe
		1436	schtasks.exe
		1072	schtasks.exe
		976	schtasks.exe
		1700	schtasks.exe
		1564	schtasks.exe
		2108	schtasks.exe
		1156	schtasks.exe
		2436	schtasks.exe
		1436	schtasks.exe
		1176	schtasks.exe
		2412	schtasks.exe
		520	schtasks.exe
		2268	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\System.exe		F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
		1036	schtasks.exe
		580	schtasks.exe
		684	schtasks.exe
		2128	schtasks.exe
		2316	schtasks.exe
		2480	schtasks.exe
		996	schtasks.exe
		2204	schtasks.exe
		2248	schtasks.exe
		760	schtasks.exe
		1416	schtasks.exe
		2156	schtasks.exe
		2296	schtasks.exe
		1112	schtasks.exe
		860	schtasks.exe
		832	schtasks.exe
		432	schtasks.exe
		2340	schtasks.exe
		2028	schtasks.exe
		2036	schtasks.exe
		2084	schtasks.exe
		2360	schtasks.exe
		832	schtasks.exe
		1192	schtasks.exe
		2452	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\lsass.exe\", \"C:\\ProgramData\\Application Data\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\spoolsv.exe\", \"C:\\ProgramData\\Documents\\taskhost.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\lsass.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\lsass.exe\", \"C:\\ProgramData\\Application Data\\Idle.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\", \"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\", \"C:\\Windows\\Tasks\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\lsass.exe\", \"C:\\ProgramData\\Application Data\\Idle.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\spoolsv.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Process spawned unexpected child process 52 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1588	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1588	schtasks.exe	28

Executes dropped EXE 1 IoCs

pid	Process
2536	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\c11c4da2-1a8a-11ed-8505-e0b24281b398\\spoolsv.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\lsass.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Application Data\\Idle.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\spoolsv.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\ProgramData\\Documents\\taskhost.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows NT\\Accessories\\es-ES\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\wininit.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\lsass.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Tasks\\taskhost.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\System.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\lsm.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Journal\\ja-JP\\csrss.exe\""	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\System.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\27d1bcfc3c54e0	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Common Files\Microsoft Shared\lsass.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\lsass.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\spoolsv.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\f3b6ecef712a24	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\System.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows Journal\ja-JP\csrss.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows Journal\ja-JP\886983d96e3d3e	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\6203df4a6bafc7	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\886983d96e3d3e	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Mozilla Firefox\fonts\56085415360792	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Common Files\Microsoft Shared\6203df4a6bafc7	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\taskhost.exe	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
File created	C:\Windows\Tasks\b75386f1303e64	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1728	schtasks.exe
1192	schtasks.exe
1248	schtasks.exe
1436	schtasks.exe
832	schtasks.exe
2064	schtasks.exe
2296	schtasks.exe
2388	schtasks.exe
2452	schtasks.exe
684	schtasks.exe
580	schtasks.exe
832	schtasks.exe
2036	schtasks.exe
1836	schtasks.exe
2156	schtasks.exe
2180	schtasks.exe
2268	schtasks.exe
2316	schtasks.exe
1036	schtasks.exe
976	schtasks.exe
520	schtasks.exe
432	schtasks.exe
2248	schtasks.exe
2360	schtasks.exe
2412	schtasks.exe
760	schtasks.exe
996	schtasks.exe
560	schtasks.exe
2028	schtasks.exe
2084	schtasks.exe
2108	schtasks.exe
960	schtasks.exe
1112	schtasks.exe
1584	schtasks.exe
860	schtasks.exe
1564	schtasks.exe
1936	schtasks.exe
1072	schtasks.exe
1156	schtasks.exe
1416	schtasks.exe
1844	schtasks.exe
2480	schtasks.exe
1436	schtasks.exe
912	schtasks.exe
1176	schtasks.exe
2204	schtasks.exe
2436	schtasks.exe
2500	schtasks.exe
1700	schtasks.exe
2128	schtasks.exe
2224	schtasks.exe
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
Token: SeDebugPrivilege	2536	Idle.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2536	1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe	81
PID 1912 wrote to memory of 2536	1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe	81
PID 1912 wrote to memory of 2536	1912	F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe	81

C:\Users\Admin\AppData\Local\Temp\F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe
"C:\Users\Admin\AppData\Local\Temp\F1ACEEFBBB01466F19AC3E421082E81BF0C90E2D75866.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\ProgramData\Application Data\Idle.exe
  "C:\ProgramData\Application Data\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 7 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\Program Files\Common Files\Microsoft Shared\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\Windows\Tasks\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\ProgramData\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Application Data\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Program Files\Windows Sidebar\Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ProgramData\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONSTART /tr "'C:\ProgramData\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Documents\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\Idle.exe

Filesize
1.5MB

MD5
152fc3939962d6e1e572f00b33daf7b6

SHA1
25a7bebb0bdce7657fc563949befbf52021b5ea0

SHA256
f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

SHA512
ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

Download Submit
C:\ProgramData\Idle.exe

Filesize
1.5MB

MD5
152fc3939962d6e1e572f00b33daf7b6

SHA1
25a7bebb0bdce7657fc563949befbf52021b5ea0

SHA256
f1aceefbbb01466f19ac3e421082e81bf0c90e2d758665bb8124b5ebf14b5743

SHA512
ba0700f093f904470b739363f5825b5ff7a0039dd2f70f3d2795496875bccfa5eadcb7794675d48fd437c3ced03fa454bad7e6dad7b5e9be2ef7a469433ee9e2

Download Submit
memory/1912-62-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1912-63-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/1912-58-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/1912-59-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1912-60-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1912-61-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1912-54-0x00000000011B0000-0x000000000133C000-memory.dmp

Filesize
1.5MB

Download
memory/1912-57-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1912-64-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1912-65-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1912-66-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1912-55-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/1912-56-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2536-70-0x0000000000B30000-0x0000000000CBC000-memory.dmp

Filesize
1.5MB

Download
memory/2536-71-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download