dcrat | da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

General

Target

a56ceff4ed3d8f469e16324d0109e3c6.exe
Size

1.5MB
MD5

a56ceff4ed3d8f469e16324d0109e3c6
SHA1

0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
SHA256

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
SHA512

45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
SSDEEP

24576:ewCXoM4MF0QizuJ7dhu+M9bvIpFeHb5APIYwXKhFuDTzz/UNR:72ojMYzuJHu/9bvIOCwf0uDz+R

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	568	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	568	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4336-133-0x0000000000DB0000-0x00000000011F8000-memory.dmp	dcrat
behavioral2/memory/4336-141-0x0000000000DB0000-0x00000000011F8000-memory.dmp	dcrat
behavioral2/memory/3044-146-0x0000000000DE0000-0x0000000001228000-memory.dmp	dcrat
behavioral2/memory/3044-147-0x0000000000DE0000-0x0000000001228000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

3044 dllhost.exe

pid	process
3044	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a56ceff4ed3d8f469e16324d0109e3c6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exedllhost.exe

pid	process
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe

Drops file in Program Files directory 10 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\e1ef82546f0b02	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\MSBuild\ea1d8f6d871115	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\55b276f4edf653	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Program Files\MSBuild\upfc.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe

Drops file in Windows directory 5 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exe

description	ioc	process
File created	C:\Windows\ImmersiveControlPanel\e6c9b481da804f	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Windows\ModemLogs\WmiPrvSE.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File opened for modification	C:\Windows\ModemLogs\WmiPrvSE.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Windows\ModemLogs\24dbde2999530e	a56ceff4ed3d8f469e16324d0109e3c6.exe
File created	C:\Windows\ImmersiveControlPanel\OfficeClickToRun.exe	a56ceff4ed3d8f469e16324d0109e3c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4488	schtasks.exe
4136	schtasks.exe
1348	schtasks.exe
5072	schtasks.exe
4596	schtasks.exe
4948	schtasks.exe
1916	schtasks.exe
2444	schtasks.exe
1152	schtasks.exe
4436	schtasks.exe
4248	schtasks.exe
5104	schtasks.exe
4564	schtasks.exe
4392	schtasks.exe
736	schtasks.exe
4160	schtasks.exe
4188	schtasks.exe
3712	schtasks.exe
2288	schtasks.exe
2244	schtasks.exe
2668	schtasks.exe
4024	schtasks.exe
3336	schtasks.exe
1304	schtasks.exe
536	schtasks.exe
2608	schtasks.exe
224	schtasks.exe
424	schtasks.exe
1620	schtasks.exe
2352	schtasks.exe
3796	schtasks.exe
3064	schtasks.exe
2528	schtasks.exe
4468	schtasks.exe
1176	schtasks.exe
3736	schtasks.exe
2056	schtasks.exe
3228	schtasks.exe
5112	schtasks.exe
4668	schtasks.exe
4408	schtasks.exe
4496	schtasks.exe
4140	schtasks.exe
1664	schtasks.exe
4580	schtasks.exe
2408	schtasks.exe
4312	schtasks.exe
1652	schtasks.exe
628	schtasks.exe
1144	schtasks.exe
1908	schtasks.exe
3672	schtasks.exe
4032	schtasks.exe
1312	schtasks.exe
4532	schtasks.exe
308	schtasks.exe
920	schtasks.exe

Modifies registry class 1 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	a56ceff4ed3d8f469e16324d0109e3c6.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exedllhost.exe

pid	process
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

3044 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exedllhost.exe

description pid process

Token: SeDebugPrivilege 4336 a56ceff4ed3d8f469e16324d0109e3c6.exe
Token: SeDebugPrivilege 3044 dllhost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.exedllhost.exe

pid process

4336 a56ceff4ed3d8f469e16324d0109e3c6.exe
3044 dllhost.exe

pid	process
3044	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	4336	a56ceff4ed3d8f469e16324d0109e3c6.exe
Token: SeDebugPrivilege	3044	dllhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a56ceff4ed3d8f469e16324d0109e3c6.execmd.exew32tm.exe

description	pid	process	target process
PID 4336 wrote to memory of 1936	4336	a56ceff4ed3d8f469e16324d0109e3c6.exe	cmd.exe
PID 4336 wrote to memory of 1936	4336	a56ceff4ed3d8f469e16324d0109e3c6.exe	cmd.exe
PID 4336 wrote to memory of 1936	4336	a56ceff4ed3d8f469e16324d0109e3c6.exe	cmd.exe
PID 1936 wrote to memory of 3924	1936	cmd.exe	w32tm.exe
PID 1936 wrote to memory of 3924	1936	cmd.exe	w32tm.exe
PID 1936 wrote to memory of 3924	1936	cmd.exe	w32tm.exe
PID 3924 wrote to memory of 4796	3924	w32tm.exe	w32tm.exe
PID 3924 wrote to memory of 4796	3924	w32tm.exe	w32tm.exe
PID 1936 wrote to memory of 3044	1936	cmd.exe	dllhost.exe
PID 1936 wrote to memory of 3044	1936	cmd.exe	dllhost.exe
PID 1936 wrote to memory of 3044	1936	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\a56ceff4ed3d8f469e16324d0109e3c6.exe
"C:\Users\Admin\AppData\Local\Temp\a56ceff4ed3d8f469e16324d0109e3c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sMMqjOsBfv.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:4796

C:\odt\dllhost.exe
"C:\odt\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6a" /sc MINUTE /mo 13 /tr "'C:\odt\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6" /sc ONLOGON /tr "'C:\odt\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6a" /sc MINUTE /mo 11 /tr "'C:\odt\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6a" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6" /sc ONLOGON /tr "'C:\Users\Default User\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a56ceff4ed3d8f469e16324d0109e3c6a" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\a56ceff4ed3d8f469e16324d0109e3c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sMMqjOsBfv.bat
Filesize
183B

MD5
9b9294dba04408c5adc08524c648dec0

SHA1
fb93192c91ef483eea12b410b09cf9f8bb0a09c2

SHA256
b5e53cb9e50c766613a984374db458e64f3daf5d6da1c9cb59a332df627e8c2c

SHA512
c455210913272b2a3339938ec4373a4decd13b04dfda4ee66c891148c52db263a7c50e585a7b7219e75ed92baf2abc9087c6a6931b9b4d50c4f4a713d1ab2dcf

Download Submit
C:\odt\dllhost.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
C:\odt\dllhost.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
memory/1936-138-0x0000000000000000-mapping.dmp

Download
memory/3044-143-0x0000000000000000-mapping.dmp

Download
memory/3044-150-0x0000000000DE0000-0x0000000001228000-memory.dmp

Filesize
4.3MB

Download
memory/3044-149-0x0000000007E10000-0x0000000007EA2000-memory.dmp

Filesize
584KB

Download
memory/3044-147-0x0000000000DE0000-0x0000000001228000-memory.dmp

Filesize
4.3MB

Download
memory/3044-148-0x0000000000DE0000-0x0000000001228000-memory.dmp

Filesize
4.3MB

Download
memory/3044-146-0x0000000000DE0000-0x0000000001228000-memory.dmp

Filesize
4.3MB

Download
memory/3924-140-0x0000000000000000-mapping.dmp

Download
memory/4336-141-0x0000000000DB0000-0x00000000011F8000-memory.dmp

Filesize
4.3MB

Download
memory/4336-132-0x0000000000DB0000-0x00000000011F8000-memory.dmp

Filesize
4.3MB

Download
memory/4336-137-0x00000000069C0000-0x0000000006A26000-memory.dmp

Filesize
408KB

Download
memory/4336-136-0x00000000075F0000-0x0000000007B1C000-memory.dmp

Filesize
5.2MB

Download
memory/4336-135-0x00000000066F0000-0x0000000006740000-memory.dmp

Filesize
320KB

Download
memory/4336-134-0x0000000006B10000-0x00000000070B4000-memory.dmp

Filesize
5.6MB

Download
memory/4336-133-0x0000000000DB0000-0x00000000011F8000-memory.dmp

Filesize
4.3MB

Download
memory/4796-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads