dcrat | da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

General

Target

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Size

1.5MB
MD5

a56ceff4ed3d8f469e16324d0109e3c6
SHA1

0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f
SHA256

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
SHA512

45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642
SSDEEP

24576:ewCXoM4MF0QizuJ7dhu+M9bvIpFeHb5APIYwXKhFuDTzz/UNR:72ojMYzuJHu/9bvIOCwf0uDz+R

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1736	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1908-55-0x00000000009D0000-0x0000000000E18000-memory.dmp	dcrat
behavioral1/memory/1908-64-0x00000000009D0000-0x0000000000E18000-memory.dmp	dcrat
behavioral1/memory/1816-69-0x0000000000380000-0x00000000007C8000-memory.dmp	dcrat
behavioral1/memory/1816-73-0x0000000000380000-0x00000000007C8000-memory.dmp	dcrat
behavioral1/memory/440-83-0x0000000000210000-0x0000000000658000-memory.dmp	dcrat
behavioral1/memory/440-84-0x0000000000210000-0x0000000000658000-memory.dmp	dcrat
behavioral1/memory/440-85-0x0000000000210000-0x0000000000658000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

440 Idle.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

240 cmd.exe
240 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
440	Idle.exe

pid	process
240	cmd.exe
240	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeIdle.exe

pid	process
1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe

Drops file in Program Files directory 7 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\dwm.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\6cb0b6c459d5d3	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

Drops file in Windows directory 6 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

description	ioc	process
File created	C:\Windows\TAPI\WmiPrvSE.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Windows\TAPI\24dbde2999530e	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Windows\AppCompat\Programs\System.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Windows\AppCompat\Programs\27d1bcfc3c54e0	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Windows\Resources\Themes\Aero\System.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
File created	C:\Windows\Resources\Themes\Aero\27d1bcfc3c54e0	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1320	schtasks.exe
1364	schtasks.exe
1564	schtasks.exe
1540	schtasks.exe
1760	schtasks.exe
872	schtasks.exe
472	schtasks.exe
1872	schtasks.exe
1352	schtasks.exe
848	schtasks.exe
1348	schtasks.exe
2036	schtasks.exe
1152	schtasks.exe
1556	schtasks.exe
2040	schtasks.exe
668	schtasks.exe
1316	schtasks.exe
524	schtasks.exe
316	schtasks.exe
960	schtasks.exe
1720	schtasks.exe
1160	schtasks.exe
1572	schtasks.exe
1000	schtasks.exe
852	schtasks.exe
288	schtasks.exe
1064	schtasks.exe
908	schtasks.exe
320	schtasks.exe
1952	schtasks.exe
1292	schtasks.exe
1052	schtasks.exe
1364	schtasks.exe
1416	schtasks.exe
2008	schtasks.exe
1468	schtasks.exe
1608	schtasks.exe
836	schtasks.exe
1312	schtasks.exe
1608	schtasks.exe
908	schtasks.exe
840	schtasks.exe
776	schtasks.exe
852	schtasks.exe
900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeIdle.exe

pid	process
1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe
440	Idle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Token: SeDebugPrivilege	1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
Token: SeDebugPrivilege	440	Idle.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exeIdle.exe

pid	process
1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
440	Idle.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.execmd.exew32tm.exeda2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.execmd.exew32tm.exe

description	pid	process	target process
PID 1908 wrote to memory of 1472	1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1908 wrote to memory of 1472	1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1908 wrote to memory of 1472	1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1908 wrote to memory of 1472	1908	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1472 wrote to memory of 300	1472	cmd.exe	w32tm.exe
PID 1472 wrote to memory of 300	1472	cmd.exe	w32tm.exe
PID 1472 wrote to memory of 300	1472	cmd.exe	w32tm.exe
PID 1472 wrote to memory of 300	1472	cmd.exe	w32tm.exe
PID 300 wrote to memory of 836	300	w32tm.exe	w32tm.exe
PID 300 wrote to memory of 836	300	w32tm.exe	w32tm.exe
PID 300 wrote to memory of 836	300	w32tm.exe	w32tm.exe
PID 300 wrote to memory of 836	300	w32tm.exe	w32tm.exe
PID 1472 wrote to memory of 1816	1472	cmd.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
PID 1472 wrote to memory of 1816	1472	cmd.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
PID 1472 wrote to memory of 1816	1472	cmd.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
PID 1472 wrote to memory of 1816	1472	cmd.exe	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
PID 1816 wrote to memory of 240	1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1816 wrote to memory of 240	1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1816 wrote to memory of 240	1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 1816 wrote to memory of 240	1816	da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe	cmd.exe
PID 240 wrote to memory of 1268	240	cmd.exe	w32tm.exe
PID 240 wrote to memory of 1268	240	cmd.exe	w32tm.exe
PID 240 wrote to memory of 1268	240	cmd.exe	w32tm.exe
PID 240 wrote to memory of 1268	240	cmd.exe	w32tm.exe
PID 1268 wrote to memory of 1748	1268	w32tm.exe	w32tm.exe
PID 1268 wrote to memory of 1748	1268	w32tm.exe	w32tm.exe
PID 1268 wrote to memory of 1748	1268	w32tm.exe	w32tm.exe
PID 1268 wrote to memory of 1748	1268	w32tm.exe	w32tm.exe
PID 240 wrote to memory of 440	240	cmd.exe	Idle.exe
PID 240 wrote to memory of 440	240	cmd.exe	Idle.exe
PID 240 wrote to memory of 440	240	cmd.exe	Idle.exe
PID 240 wrote to memory of 440	240	cmd.exe	Idle.exe

C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
"C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\exs6fAVkbh.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe
"C:\Users\Admin\AppData\Local\Temp\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5oMi52qUJ.bat"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1748

C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\Aero\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55d" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55d" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\Dictionaries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\R5oMi52qUJ.bat
Filesize
195B

MD5
944259ae1251467cb4b57d32c7ed7965

SHA1
84c502960478cb1fd295b86a7195652e1a0041de

SHA256
71d69cb8a10e74955d3cf093cd6b6190f81d1ecc57a9a5bf06e7af12a62679b9

SHA512
03f212651d27cb1dcc7bdaa742b8f3ac37b652bebf2cc182c0ce91de7aac0f2d85517e7ff0427bb2b74fe7fc4beaf11d3cdcd0cba3f307b4a2e3ae47afdbb040

Download Submit
C:\Users\Admin\AppData\Local\Temp\exs6fAVkbh.bat
Filesize
267B

MD5
d9847a68e34b34ad5b2a114d60806adc

SHA1
7764511fdbda1c951e9fa5e22873f29567204a79

SHA256
8d775084e056b7d982b87660ffae25a4319638860e4b2760743de09d165da2f3

SHA512
c0300eaf379ee11486b9b7962620b500860ecec0adb4ebb3f7857ce1c3f7a159763e6ead544e88230d2650f4154fe4b41df1b5665936e7931a8da68ab13f9e97

Download Submit
C:\Users\Default User\Idle.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
C:\Users\Default\Idle.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
\Users\Default\Idle.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
\Users\Default\Idle.exe
Filesize
1.5MB

MD5
a56ceff4ed3d8f469e16324d0109e3c6

SHA1
0052b50b6409c6983b6e81b7dce3eaa28dbe6f7f

SHA256
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55

SHA512
45e6b8e3578be057ded58898a1e3a05e11327ac32dd1dcee53d7135a8db76d63c459a677d8ae4a592644826f7b0046eb72d6365973ea122bb25c7513f5781642

Download Submit
memory/240-71-0x0000000000000000-mapping.dmp

Download
memory/300-63-0x0000000000000000-mapping.dmp

Download
memory/440-83-0x0000000000210000-0x0000000000658000-memory.dmp

Filesize
4.3MB

Download
memory/440-80-0x0000000000000000-mapping.dmp

Download
memory/440-84-0x0000000000210000-0x0000000000658000-memory.dmp

Filesize
4.3MB

Download
memory/440-85-0x0000000000210000-0x0000000000658000-memory.dmp

Filesize
4.3MB

Download
memory/836-66-0x0000000000000000-mapping.dmp

Download
memory/1268-74-0x0000000000000000-mapping.dmp

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1748-76-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/1816-69-0x0000000000380000-0x00000000007C8000-memory.dmp

Filesize
4.3MB

Download
memory/1816-73-0x0000000000380000-0x00000000007C8000-memory.dmp

Filesize
4.3MB

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1908-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1908-64-0x00000000009D0000-0x0000000000E18000-memory.dmp

Filesize
4.3MB

Download
memory/1908-60-0x0000000002620000-0x000000000262E000-memory.dmp

Filesize
56KB

Download
memory/1908-59-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1908-58-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1908-57-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/1908-56-0x0000000002390000-0x00000000023AC000-memory.dmp

Filesize
112KB

Download
memory/1908-55-0x00000000009D0000-0x0000000000E18000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads