dcrat | 1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02

Analysis

max time kernel
79s
max time network
81s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Size

1.2MB
MD5

946561b2f63d2ad390352bcdb1dfc26f
SHA1

e4236fcae840fa1474fc69e1b181710f7cc1bbce
SHA256

1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02
SHA512

52492ef2e416d4034dad425551ddf4bff99e52210ca39babfe7da6844c5dcf8371b35d511f6e9f06ca78889cebe93d6bb1642dddc06c3db8597c210dd1fe00a3
SSDEEP

24576:linPXeVB3y6h9Q7T3UlJkbuIkpcJwOUP49sVz:ry6XxkbnEP1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 25 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		968	schtasks.exe
		1784	schtasks.exe
		544	schtasks.exe
		240	schtasks.exe
		1360	schtasks.exe
		944	schtasks.exe
		948	schtasks.exe
		1756	schtasks.exe
		1844	schtasks.exe
		1792	schtasks.exe
		1640	schtasks.exe
		756	schtasks.exe
		1728	schtasks.exe
		1740	schtasks.exe
		1856	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
		1372	schtasks.exe
		1044	schtasks.exe
		1788	schtasks.exe
		828	schtasks.exe
		1028	schtasks.exe
		1752	schtasks.exe
		1484	schtasks.exe
		1100	schtasks.exe
		340	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\", \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	524	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1260-54-0x00000000001F0000-0x0000000000326000-memory.dmp	dcrat
behavioral1/files/0x0009000000013109-99.dat	dcrat
behavioral1/files/0x0009000000013109-101.dat	dcrat
behavioral1/memory/1372-102-0x00000000012B0000-0x00000000013E6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1372	smss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Policies\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Defender\\en-US\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Defender\\en-US\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\System.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX4D21.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX73AC.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\System.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX4A71.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX675A.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Google\Policies\b75386f1303e64	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\RCX5414.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\RCX56C4.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX6A09.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX70FD.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Google\Policies\taskhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\Windows Defender\en-US\27d1bcfc3c54e0	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\taskhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1044	schtasks.exe
544	schtasks.exe
240	schtasks.exe
1756	schtasks.exe
1792	schtasks.exe
1372	schtasks.exe
1640	schtasks.exe
948	schtasks.exe
1788	schtasks.exe
828	schtasks.exe
944	schtasks.exe
1740	schtasks.exe
968	schtasks.exe
756	schtasks.exe
1784	schtasks.exe
1028	schtasks.exe
1752	schtasks.exe
1484	schtasks.exe
340	schtasks.exe
1856	schtasks.exe
1100	schtasks.exe
1844	schtasks.exe
1728	schtasks.exe
1360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
1976	powershell.exe
1264	powershell.exe
1972	powershell.exe
1060	powershell.exe
692	powershell.exe
576	powershell.exe
1152	powershell.exe
1016	powershell.exe
856	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Token: SeDebugPrivilege	1372	smss.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	53
PID 1260 wrote to memory of 692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	53
PID 1260 wrote to memory of 692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	53
PID 1260 wrote to memory of 1976	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	54
PID 1260 wrote to memory of 1976	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	54
PID 1260 wrote to memory of 1976	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	54
PID 1260 wrote to memory of 1016	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	55
PID 1260 wrote to memory of 1016	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	55
PID 1260 wrote to memory of 1016	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	55
PID 1260 wrote to memory of 1060	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	57
PID 1260 wrote to memory of 1060	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	57
PID 1260 wrote to memory of 1060	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	57
PID 1260 wrote to memory of 1972	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	59
PID 1260 wrote to memory of 1972	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	59
PID 1260 wrote to memory of 1972	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	59
PID 1260 wrote to memory of 1264	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	62
PID 1260 wrote to memory of 1264	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	62
PID 1260 wrote to memory of 1264	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	62
PID 1260 wrote to memory of 1152	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	63
PID 1260 wrote to memory of 1152	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	63
PID 1260 wrote to memory of 1152	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	63
PID 1260 wrote to memory of 576	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	65
PID 1260 wrote to memory of 576	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	65
PID 1260 wrote to memory of 576	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	65
PID 1260 wrote to memory of 856	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	68
PID 1260 wrote to memory of 856	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	68
PID 1260 wrote to memory of 856	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	68
PID 1260 wrote to memory of 1692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	70
PID 1260 wrote to memory of 1692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	70
PID 1260 wrote to memory of 1692	1260	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	70
PID 1692 wrote to memory of 1044	1692	cmd.exe	73
PID 1692 wrote to memory of 1044	1692	cmd.exe	73
PID 1692 wrote to memory of 1044	1692	cmd.exe	73
PID 1692 wrote to memory of 1372	1692	cmd.exe	74
PID 1692 wrote to memory of 1372	1692	cmd.exe	74
PID 1692 wrote to memory of 1372	1692	cmd.exe	74

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6oFvJ6q8bf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1044
- - C:\Users\Public\Libraries\smss.exe
    "C:\Users\Public\Libraries\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Policies\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6oFvJ6q8bf.bat

Filesize
199B

MD5
6a17dc701bf1e6ae23f5ebbedb62fe56

SHA1
4e1f65ab9710029a9a0eb0aa51a5eb245f969d30

SHA256
0524181e77e408c7ff85ecdee4a890645501d9ad5bd93a18418c12036102ef57

SHA512
6e3a32a0ef8efbea7fca808f002f246286cc0e9af91f04b6396a0ba840eed34d761602aeb14b6cbc359289ab63f4f230f8ea02fbf3e0a93d1e7aeee132c97641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a251e59360b279e8bbdbe3f3b3387b89

SHA1
ff4c2b5cc8175a07ec694fb3f37539bf492e1a04

SHA256
83bdcf171aae21f150657e53f4725a7ddf0e941e6969ee0d6e278d2c12e58991

SHA512
05109d079a191b030366ae9e35791e4cb34e997d1cae24e52f35953fb55a5a0e656ab0b705bc4c43b75c7502d3bb882efadb4a495e9e223e4ef6f9417a822741

Download Submit
C:\Users\Public\Libraries\smss.exe

Filesize
1.2MB

MD5
32585987ce3e3d5d27e92a1f3e92955f

SHA1
569f123ceb6fb6d52f197220e177fda760d32370

SHA256
24713572541a72bd095e3dc51aaf9d74dab439b097ea566eb5db8315d56acf7d

SHA512
587dde274e91edfb340a8b2707aa307d27e2d22940b5b82c6fd61af714d5c3a6718b263f61ca0d6036c3571c8cfeb829d2f296425cd8b929315cb8fdd5c31ac3

Download Submit
C:\Users\Public\Libraries\smss.exe

Filesize
1.2MB

MD5
32585987ce3e3d5d27e92a1f3e92955f

SHA1
569f123ceb6fb6d52f197220e177fda760d32370

SHA256
24713572541a72bd095e3dc51aaf9d74dab439b097ea566eb5db8315d56acf7d

SHA512
587dde274e91edfb340a8b2707aa307d27e2d22940b5b82c6fd61af714d5c3a6718b263f61ca0d6036c3571c8cfeb829d2f296425cd8b929315cb8fdd5c31ac3

Download Submit
memory/576-134-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/576-104-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/576-155-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/576-153-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/576-150-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/576-111-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/576-121-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/692-138-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/692-109-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/692-133-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/692-73-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/692-77-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/692-136-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/692-126-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/692-119-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/856-147-0x0000000001F74000-0x0000000001F77000-memory.dmp

Filesize
12KB

Download
memory/856-123-0x0000000001F74000-0x0000000001F77000-memory.dmp

Filesize
12KB

Download
memory/856-146-0x0000000001F7B000-0x0000000001F9A000-memory.dmp

Filesize
124KB

Download
memory/856-113-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/856-143-0x0000000001F7B000-0x0000000001F9A000-memory.dmp

Filesize
124KB

Download
memory/856-98-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/856-129-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1016-120-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1016-144-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1016-110-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1016-127-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1016-96-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1016-142-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1060-107-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1060-117-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1060-158-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/1060-157-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1060-139-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1060-145-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/1060-95-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1152-128-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1152-124-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1152-97-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1152-140-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1152-114-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1152-141-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1260-60-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1260-63-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1260-55-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1260-56-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/1260-57-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1260-58-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1260-59-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/1260-61-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1260-62-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1260-54-0x00000000001F0000-0x0000000000326000-memory.dmp

Filesize
1.2MB

Download
memory/1264-132-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1264-105-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1264-152-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/1264-151-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/1264-106-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1264-148-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/1264-116-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/1372-115-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/1372-102-0x00000000012B0000-0x00000000013E6000-memory.dmp

Filesize
1.2MB

Download
memory/1972-103-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1972-125-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1972-131-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1972-118-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1972-135-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1972-108-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1972-137-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1976-130-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1976-154-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1976-112-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1976-149-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1976-122-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1976-80-0x000007FEEB9A0000-0x000007FEEC3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1976-156-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download