dcrat | b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6

Analysis

max time kernel
51s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Size

1.6MB
MD5

c2941309c33f19d5c2acc448e838b281
SHA1

e929e9425de8df49806780664eec76df479f95b9
SHA256

b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6
SHA512

3ae53ac29729d7da962de103826b105fa785ab3b306c323abb9001e2ef107c320f37d1b807af608f174bb4786a42b050bd440ecd66b60614df3ae230263882e8
SSDEEP

24576:oXGq9fNAehxNnn+MsgnUQ0+vgd9Ulk5R/+VKkccpScpuw72sEeh8Sx8y:FqVNxhxFVKQKHgk5RmVKG7dr

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1164	schtasks.exe
		1916	schtasks.exe
File created	C:\Windows\System32\lltdsvc\886983d96e3d3e		HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
		1496	schtasks.exe
		1976	schtasks.exe
		1624	schtasks.exe
		268	schtasks.exe
		1488	schtasks.exe
		1592	schtasks.exe
		1048	schtasks.exe
		1960	schtasks.exe
File created	C:\Windows\System32\lltdsvc\csrss.exe		HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
		392	schtasks.exe
		1076	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Windows\\es-ES\\WMIADAP.exe\", \"C:\\ProgramData\\Templates\\services.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\spoolsv.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Windows\\es-ES\\WMIADAP.exe\", \"C:\\ProgramData\\Templates\\services.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\spoolsv.exe\", \"C:\\Windows\\WindowsUpdate\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Windows\\es-ES\\WMIADAP.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\lltdsvc\\csrss.exe\", \"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\", \"C:\\ProgramData\\Application Data\\lsass.exe\", \"C:\\Windows\\System32\\slui\\dwm.exe\", \"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\", \"C:\\ProgramData\\Documents\\dwm.exe\", \"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Windows\\es-ES\\WMIADAP.exe\", \"C:\\ProgramData\\Templates\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	896	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	896	schtasks.exe	28

Executes dropped EXE 2 IoCs

pid	Process
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1700	dwm.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Templates\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\\wininit.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Application Data\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Documents\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\es-ES\\WMIADAP.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsUpdate\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\lltdsvc\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\es-ES\\WMIADAP.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Adobe\\Updater6\\spoolsv.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Application Data\\lsass.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\slui\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsUpdate\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Templates\\services.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\lltdsvc\\csrss.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\slui\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\\explorer.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Documents\\dwm.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SysWOW64\\oobe\\es-ES\\taskhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Adobe\\Updater6\\spoolsv.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oobe\es-ES\b75386f1303e64	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\lltdsvc\csrss.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\lltdsvc\886983d96e3d3e	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\slui\dwm.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\lltdsvc\RCX1671.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\RCX1D75.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\SysWOW64\oobe\es-ES\taskhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\lltdsvc\csrss.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\slui\RCX3379.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\wininit.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\lltdsvc\RCX13C2.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\wininit.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\56085415360792	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\System32\slui\6cb0b6c459d5d3	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\RCX2024.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\slui\RCX30BA.tmp	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\System32\slui\dwm.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\SysWOW64\oobe\es-ES\taskhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\WindowsUpdate\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\WindowsUpdate\7a0fd90576e088	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\es-ES\WMIADAP.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File opened for modification	C:\Windows\WindowsUpdate\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\es-ES\WMIADAP.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
File created	C:\Windows\es-ES\75a57c1bdf437c	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1488	schtasks.exe
1496	schtasks.exe
1960	schtasks.exe
1624	schtasks.exe
392	schtasks.exe
1048	schtasks.exe
1976	schtasks.exe
1592	schtasks.exe
268	schtasks.exe
1164	schtasks.exe
1916	schtasks.exe
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
324	powershell.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1152	powershell.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1700	dwm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 324	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	33
PID 1308 wrote to memory of 324	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	33
PID 1308 wrote to memory of 324	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	33
PID 1308 wrote to memory of 1652	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	35
PID 1308 wrote to memory of 1652	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	35
PID 1308 wrote to memory of 1652	1308	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	35
PID 1652 wrote to memory of 2004	1652	cmd.exe	37
PID 1652 wrote to memory of 2004	1652	cmd.exe	37
PID 1652 wrote to memory of 2004	1652	cmd.exe	37
PID 1652 wrote to memory of 1732	1652	cmd.exe	38
PID 1652 wrote to memory of 1732	1652	cmd.exe	38
PID 1652 wrote to memory of 1732	1652	cmd.exe	38
PID 1732 wrote to memory of 1152	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	47
PID 1732 wrote to memory of 1152	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	47
PID 1732 wrote to memory of 1152	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	47
PID 1732 wrote to memory of 1700	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	49
PID 1732 wrote to memory of 1700	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	49
PID 1732 wrote to memory of 1700	1732	HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe	49

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqixiZ9QWd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\ProgramData\Documents\dwm.exe
      "C:\ProgramData\Documents\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\lltdsvc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\slui\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\oobe\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Templates\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsUpdate\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Documents\dwm.exe

Filesize
1.6MB

MD5
c2941309c33f19d5c2acc448e838b281

SHA1
e929e9425de8df49806780664eec76df479f95b9

SHA256
b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6

SHA512
3ae53ac29729d7da962de103826b105fa785ab3b306c323abb9001e2ef107c320f37d1b807af608f174bb4786a42b050bd440ecd66b60614df3ae230263882e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6.exe

Filesize
1.6MB

MD5
c2941309c33f19d5c2acc448e838b281

SHA1
e929e9425de8df49806780664eec76df479f95b9

SHA256
b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6

SHA512
3ae53ac29729d7da962de103826b105fa785ab3b306c323abb9001e2ef107c320f37d1b807af608f174bb4786a42b050bd440ecd66b60614df3ae230263882e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqixiZ9QWd.bat

Filesize
299B

MD5
43770e679053bb113c04eba05c62ef94

SHA1
55265123bc38a0fda6738e532e3734e2ece9f930

SHA256
acfb461915c0aea59d196163ce9b7d691f80170fc90446c0ad51fac225b3a469

SHA512
41167e49fec735c3a15de56e1bc21c15291a5e28c27b67b2340412272170e06858ff7b6d4dbebfc5633c6d07237cd16bf1afd5e417b2172435707ec0b8b3b520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b77fa66f4496fed643ce945ae46b8f8

SHA1
cb0ed6fddc801f67205ddf2d5e19580287c5f921

SHA256
35504f03a01ec55e3d9411525d7a1e8db43cd9e1db152a808b058bea955dd95b

SHA512
d55e889b85840c6f76f5415f799d9e3cc99732f3495a88e5c8c58b0e84eea95cc57852c9c881c4e705d52bce63846fd12424be01e19ba55d39aa262526be0e83

Download Submit
C:\Users\Public\Documents\dwm.exe

Filesize
1.6MB

MD5
c2941309c33f19d5c2acc448e838b281

SHA1
e929e9425de8df49806780664eec76df479f95b9

SHA256
b0a22bc0c510257a80017253fda2699c005a4089e37974ee52f2cf1aaf5103b6

SHA512
3ae53ac29729d7da962de103826b105fa785ab3b306c323abb9001e2ef107c320f37d1b807af608f174bb4786a42b050bd440ecd66b60614df3ae230263882e8

Download Submit
memory/324-79-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/324-78-0x000007FEF5E00000-0x000007FEF695D000-memory.dmp

Filesize
11.4MB

Download
memory/324-72-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download
memory/324-74-0x000007FEEC670000-0x000007FEED093000-memory.dmp

Filesize
10.1MB

Download
memory/324-80-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/324-82-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/324-81-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1152-96-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1152-100-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1152-99-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1152-90-0x000007FEEBF60000-0x000007FEEC983000-memory.dmp

Filesize
10.1MB

Download
memory/1152-92-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1152-91-0x000007FEEB400000-0x000007FEEBF5D000-memory.dmp

Filesize
11.4MB

Download
memory/1152-101-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1308-65-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/1308-64-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/1308-55-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1308-56-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/1308-70-0x000000001B046000-0x000000001B065000-memory.dmp

Filesize
124KB

Download
memory/1308-69-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/1308-68-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/1308-67-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1308-57-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1308-66-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/1308-58-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1308-59-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/1308-54-0x0000000000B40000-0x0000000000CE4000-memory.dmp

Filesize
1.6MB

Download
memory/1308-77-0x000000001B046000-0x000000001B065000-memory.dmp

Filesize
124KB

Download
memory/1308-63-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1308-62-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1308-61-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1308-60-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1700-97-0x0000000000080000-0x0000000000224000-memory.dmp

Filesize
1.6MB

Download
memory/1732-86-0x000000001AF26000-0x000000001AF45000-memory.dmp

Filesize
124KB

Download
memory/1732-85-0x0000000000190000-0x0000000000334000-memory.dmp

Filesize
1.6MB

Download
memory/1732-98-0x000000001AF26000-0x000000001AF45000-memory.dmp

Filesize
124KB

Download