Analysis
-
max time kernel
79s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28/12/2022, 09:20
Behavioral task
behavioral1
Sample
HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
-
Size
1.2MB
-
MD5
946561b2f63d2ad390352bcdb1dfc26f
-
SHA1
e4236fcae840fa1474fc69e1b181710f7cc1bbce
-
SHA256
1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02
-
SHA512
52492ef2e416d4034dad425551ddf4bff99e52210ca39babfe7da6844c5dcf8371b35d511f6e9f06ca78889cebe93d6bb1642dddc06c3db8597c210dd1fe00a3
-
SSDEEP
24576:linPXeVB3y6h9Q7T3UlJkbuIkpcJwOUP49sVz:ry6XxkbnEP1
Malware Config
Signatures
-
DcRat 25 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 968 schtasks.exe 1784 schtasks.exe 544 schtasks.exe 240 schtasks.exe 1360 schtasks.exe 944 schtasks.exe 948 schtasks.exe 1756 schtasks.exe 1844 schtasks.exe 1792 schtasks.exe 1640 schtasks.exe 756 schtasks.exe 1728 schtasks.exe 1740 schtasks.exe 1856 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 1372 schtasks.exe 1044 schtasks.exe 1788 schtasks.exe 828 schtasks.exe 1028 schtasks.exe 1752 schtasks.exe 1484 schtasks.exe 1100 schtasks.exe 340 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\System.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 524 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 524 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
resource yara_rule behavioral1/memory/1260-54-0x00000000001F0000-0x0000000000326000-memory.dmp dcrat behavioral1/files/0x0009000000013109-99.dat dcrat behavioral1/files/0x0009000000013109-101.dat dcrat behavioral1/memory/1372-102-0x00000000012B0000-0x00000000013E6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 1372 smss.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Defender\\en-US\\System.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Defender\\en-US\\System.exe\"" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Windows Defender\en-US\System.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX4D21.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Windows Defender\en-US\RCX73AC.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Windows Defender\en-US\System.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX4A71.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX675A.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files (x86)\Google\Policies\b75386f1303e64 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Google\Policies\RCX5414.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Google\Policies\RCX56C4.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX6A09.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Windows Defender\en-US\RCX70FD.tmp HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files (x86)\Google\Policies\taskhost.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files\Windows Defender\en-US\27d1bcfc3c54e0 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files (x86)\Google\Policies\taskhost.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1044 schtasks.exe 544 schtasks.exe 240 schtasks.exe 1756 schtasks.exe 1792 schtasks.exe 1372 schtasks.exe 1640 schtasks.exe 948 schtasks.exe 1788 schtasks.exe 828 schtasks.exe 944 schtasks.exe 1740 schtasks.exe 968 schtasks.exe 756 schtasks.exe 1784 schtasks.exe 1028 schtasks.exe 1752 schtasks.exe 1484 schtasks.exe 340 schtasks.exe 1856 schtasks.exe 1100 schtasks.exe 1844 schtasks.exe 1728 schtasks.exe 1360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 1976 powershell.exe 1264 powershell.exe 1972 powershell.exe 1060 powershell.exe 692 powershell.exe 576 powershell.exe 1152 powershell.exe 1016 powershell.exe 856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Token: SeDebugPrivilege 1372 smss.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 856 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1260 wrote to memory of 692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 53 PID 1260 wrote to memory of 692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 53 PID 1260 wrote to memory of 692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 53 PID 1260 wrote to memory of 1976 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 54 PID 1260 wrote to memory of 1976 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 54 PID 1260 wrote to memory of 1976 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 54 PID 1260 wrote to memory of 1016 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 55 PID 1260 wrote to memory of 1016 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 55 PID 1260 wrote to memory of 1016 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 55 PID 1260 wrote to memory of 1060 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 57 PID 1260 wrote to memory of 1060 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 57 PID 1260 wrote to memory of 1060 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 57 PID 1260 wrote to memory of 1972 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 59 PID 1260 wrote to memory of 1972 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 59 PID 1260 wrote to memory of 1972 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 59 PID 1260 wrote to memory of 1264 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 62 PID 1260 wrote to memory of 1264 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 62 PID 1260 wrote to memory of 1264 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 62 PID 1260 wrote to memory of 1152 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 63 PID 1260 wrote to memory of 1152 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 63 PID 1260 wrote to memory of 1152 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 63 PID 1260 wrote to memory of 576 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 65 PID 1260 wrote to memory of 576 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 65 PID 1260 wrote to memory of 576 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 65 PID 1260 wrote to memory of 856 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 68 PID 1260 wrote to memory of 856 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 68 PID 1260 wrote to memory of 856 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 68 PID 1260 wrote to memory of 1692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 70 PID 1260 wrote to memory of 1692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 70 PID 1260 wrote to memory of 1692 1260 HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe 70 PID 1692 wrote to memory of 1044 1692 cmd.exe 73 PID 1692 wrote to memory of 1044 1692 cmd.exe 73 PID 1692 wrote to memory of 1044 1692 cmd.exe 73 PID 1692 wrote to memory of 1372 1692 cmd.exe 74 PID 1692 wrote to memory of 1372 1692 cmd.exe 74 PID 1692 wrote to memory of 1372 1692 cmd.exe 74 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\smss.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\taskhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6oFvJ6q8bf.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1044
-
-
C:\Users\Public\Libraries\smss.exe"C:\Users\Public\Libraries\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1372
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD56a17dc701bf1e6ae23f5ebbedb62fe56
SHA14e1f65ab9710029a9a0eb0aa51a5eb245f969d30
SHA2560524181e77e408c7ff85ecdee4a890645501d9ad5bd93a18418c12036102ef57
SHA5126e3a32a0ef8efbea7fca808f002f246286cc0e9af91f04b6396a0ba840eed34d761602aeb14b6cbc359289ab63f4f230f8ea02fbf3e0a93d1e7aeee132c97641
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a251e59360b279e8bbdbe3f3b3387b89
SHA1ff4c2b5cc8175a07ec694fb3f37539bf492e1a04
SHA25683bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991
SHA51205109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741
-
Filesize
1.2MB
MD532585987ce3e3d5d27e92a1f3e92955f
SHA1569f123ceb6fb6d52f197220e177fda760d32370
SHA25624713572541a72bd095e3dc51aaf9d74dab439b097ea566eb5db8315d56acf7d
SHA512587dde274e91edfb340a8b2707aa307d27e2d22940b5b82c6fd61af714d5c3a6718b263f61ca0d6036c3571c8cfeb829d2f296425cd8b929315cb8fdd5c31ac3
-
Filesize
1.2MB
MD532585987ce3e3d5d27e92a1f3e92955f
SHA1569f123ceb6fb6d52f197220e177fda760d32370
SHA25624713572541a72bd095e3dc51aaf9d74dab439b097ea566eb5db8315d56acf7d
SHA512587dde274e91edfb340a8b2707aa307d27e2d22940b5b82c6fd61af714d5c3a6718b263f61ca0d6036c3571c8cfeb829d2f296425cd8b929315cb8fdd5c31ac3