dcrat | 3a9d578bed5193425becda7f50fdda6b1a131ba35195ae58ac24a2069e967b03

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f3ea83868d661776bb6231c214c397.exe
Size

2.5MB
MD5

09f3ea83868d661776bb6231c214c397
SHA1

b56d6ebad45ccf765087c4c1666a37dc860da268
SHA256

3a9d578bed5193425becda7f50fdda6b1a131ba35195ae58ac24a2069e967b03
SHA512

48893b7efd2e92fb30956d680706f5877dd635d081aa546a2b73960f0e3aaf0ab381fc8f386a01a87fde22eece21157dd439810e5d714ecf4a64646a828eb912
SSDEEP

49152:CSg8kOqBMdDhtQM4I+MkmJm9LcBwQYdXQ4J:dfkOqGhhtn9+nmJm9LcBCXvJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe09f3ea83868d661776bb6231c214c397.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1916	schtasks.exe
1624	schtasks.exe
1384	schtasks.exe
684	schtasks.exe
1368	schtasks.exe
File created	C:\Program Files\Java\jre7\Idle.exe	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Program Files\Java\jre7\6ccacd8608530f	09f3ea83868d661776bb6231c214c397.exe
888	schtasks.exe
308	schtasks.exe
560	schtasks.exe
1352	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

09f3ea83868d661776bb6231c214c397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\Idle.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\Idle.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\Idle.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\es-ES\\taskhost.exe\""	09f3ea83868d661776bb6231c214c397.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1260	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1216-54-0x00000000009B0000-0x0000000000C3E000-memory.dmp	dcrat
C:\Windows\it-IT\winlogon.exe	dcrat
behavioral1/memory/2172-107-0x0000000000020000-0x00000000002AE000-memory.dmp	dcrat
C:\Windows\it-IT\winlogon.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2172 winlogon.exe

pid	process
2172	winlogon.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

09f3ea83868d661776bb6231c214c397.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\es-ES\\taskhost.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\es-ES\\taskhost.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Java\\jre7\\Idle.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Java\\jre7\\Idle.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\it-IT\\winlogon.exe\""	09f3ea83868d661776bb6231c214c397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\it-IT\\winlogon.exe\""	09f3ea83868d661776bb6231c214c397.exe

Drops file in Program Files directory 10 IoCs

Processes:

09f3ea83868d661776bb6231c214c397.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\taskhost.exe	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Program Files\Java\jre7\6ccacd8608530f	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\taskhost.exe	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Program Files\Java\jre7\RCXCC1.tmp	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX1D77.tmp	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX2026.tmp	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Program Files\Java\jre7\Idle.exe	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Program Files\Java\jre7\Idle.exe	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\b75386f1303e64	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Program Files\Java\jre7\RCXA02.tmp	09f3ea83868d661776bb6231c214c397.exe

Drops file in Windows directory 5 IoCs

Processes:

09f3ea83868d661776bb6231c214c397.exe

description	ioc	process
File created	C:\Windows\it-IT\winlogon.exe	09f3ea83868d661776bb6231c214c397.exe
File created	C:\Windows\it-IT\cc11b995f2a76d	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Windows\it-IT\RCX13C4.tmp	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Windows\it-IT\RCX1683.tmp	09f3ea83868d661776bb6231c214c397.exe
File opened for modification	C:\Windows\it-IT\winlogon.exe	09f3ea83868d661776bb6231c214c397.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
308	schtasks.exe
560	schtasks.exe
1384	schtasks.exe
1916	schtasks.exe
1368	schtasks.exe
1352	schtasks.exe
888	schtasks.exe
684	schtasks.exe
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

09f3ea83868d661776bb6231c214c397.exewinlogon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1216	09f3ea83868d661776bb6231c214c397.exe
2172	winlogon.exe
912	powershell.exe
316	powershell.exe
428	powershell.exe
988	powershell.exe
1448	powershell.exe
1684	powershell.exe
1056	powershell.exe
1512	powershell.exe
1716	powershell.exe
1320	powershell.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2172	winlogon.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1216	09f3ea83868d661776bb6231c214c397.exe
Token: SeDebugPrivilege	2172	winlogon.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

09f3ea83868d661776bb6231c214c397.execmd.exewinlogon.exe

description	pid	process	target process
PID 1216 wrote to memory of 316	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 316	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 316	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 912	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 912	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 912	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 2036	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 2036	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 2036	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1512	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1512	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1512	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 428	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 428	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 428	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1056	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1056	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1056	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1448	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1448	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1448	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1320	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1320	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1320	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1684	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1684	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1684	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 572	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 572	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 572	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 988	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 988	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 988	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1716	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1716	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1716	1216	09f3ea83868d661776bb6231c214c397.exe	powershell.exe
PID 1216 wrote to memory of 1928	1216	09f3ea83868d661776bb6231c214c397.exe	cmd.exe
PID 1216 wrote to memory of 1928	1216	09f3ea83868d661776bb6231c214c397.exe	cmd.exe
PID 1216 wrote to memory of 1928	1216	09f3ea83868d661776bb6231c214c397.exe	cmd.exe
PID 1928 wrote to memory of 2152	1928	cmd.exe	w32tm.exe
PID 1928 wrote to memory of 2152	1928	cmd.exe	w32tm.exe
PID 1928 wrote to memory of 2152	1928	cmd.exe	w32tm.exe
PID 1928 wrote to memory of 2172	1928	cmd.exe	winlogon.exe
PID 1928 wrote to memory of 2172	1928	cmd.exe	winlogon.exe
PID 1928 wrote to memory of 2172	1928	cmd.exe	winlogon.exe
PID 2172 wrote to memory of 2524	2172	winlogon.exe	WScript.exe
PID 2172 wrote to memory of 2524	2172	winlogon.exe	WScript.exe
PID 2172 wrote to memory of 2524	2172	winlogon.exe	WScript.exe
PID 2172 wrote to memory of 2556	2172	winlogon.exe	WScript.exe
PID 2172 wrote to memory of 2556	2172	winlogon.exe	WScript.exe
PID 2172 wrote to memory of 2556	2172	winlogon.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\09f3ea83868d661776bb6231c214c397.exe
"C:\Users\Admin\AppData\Local\Temp\09f3ea83868d661776bb6231c214c397.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
PID:572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQnvRVvYg2.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2152

C:\Windows\it-IT\winlogon.exe
"C:\Windows\it-IT\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e45934-bdee-4d6a-88cf-37496969e8b6.vbs"
4⤵
PID:2524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ac3879-3e90-4271-8334-637bac2e9bf9.vbs"
4⤵
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\92e45934-bdee-4d6a-88cf-37496969e8b6.vbs
Filesize
705B

MD5
e2eba58ac484828f0dd8c088aeb8130c

SHA1
1c2af42153ffdd811867d43f349acfbdc2d53853

SHA256
0ebe091a3cf2194d06e2deec6ba0d81e7975723f49c38d39baa158af522b2e2f

SHA512
9d014ed017620b4106783c4c3c2f88160659d562155a3c48799276250a0be8c4d779bf50cce21f335a978588d06cbfc21dd17e55882013af66c2b2f7b4880bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3ac3879-3e90-4271-8334-637bac2e9bf9.vbs
Filesize
481B

MD5
57c7482d69649776c10108b73ff2b444

SHA1
c3822bedec3f97921c366db89e32354c1a14617e

SHA256
25c6196a364a87b29b28d7534fce80b828020d34075a3aeee21526d611088eef

SHA512
45812f14c80092f6138f29ab93d3a3c82b314f1937ff3fb98dc2cf06ac182ec754ce768802dfe1df7ef1dc2c31fc9ed00c837780b922605ff9fad8c525bced74

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQnvRVvYg2.bat
Filesize
194B

MD5
86c263e2c86b7dcdd5155d45833f53c6

SHA1
72b80f95b307346dd2a92f0ce113912ec19d0a5e

SHA256
89019578617ff9f083c88f56f04843d21c2aef96835fde8f5af0563bdc3247a8

SHA512
0cb0e44379f727000660b765b7678cc5da4f2afea6975ad2f775c352b01e665cd0f2e4fb3d40500975e05722254c2eddb09496c5d574aa7684435c7e1a009280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31ca25fe39ebae1ecdac354476dd65fc

SHA1
8f1ca21724c0e805c0d8c63c64d550e9583a116e

SHA256
4dcc86d5c09c3d0d0b6ed1cad4397ee98424e2a4d2b2ddabcbfa4bd88907b1f7

SHA512
21fb127cdfd8ab424ce2ed741defe99f48574235cfd033135740f95dc03b14bb51873bc0eab094cd8cabd3f46907188c6b9bfe5664b89e21770a8030bf5a6c5a

Download Submit
C:\Windows\it-IT\winlogon.exe
Filesize
2.5MB

MD5
4201acae7f3e9cec64160289137bbb7f

SHA1
a53927c7d3e82021e524aab2f7cb8175bbca4ea8

SHA256
70c514794ce6357837abdb80b0a10be9eedaa5b6c4e26fb0131ec2d8dc7e8b3e

SHA512
1ad6ad71fdabc9d558bf46dd9b2d35887496756505ead8510f49cfcea842168394fb5bc5087d54ebf6992fe4a318048542db66d3f7418bb9704ce9818fe8cb4c

Download Submit
C:\Windows\it-IT\winlogon.exe
Filesize
2.5MB

MD5
4201acae7f3e9cec64160289137bbb7f

SHA1
a53927c7d3e82021e524aab2f7cb8175bbca4ea8

SHA256
70c514794ce6357837abdb80b0a10be9eedaa5b6c4e26fb0131ec2d8dc7e8b3e

SHA512
1ad6ad71fdabc9d558bf46dd9b2d35887496756505ead8510f49cfcea842168394fb5bc5087d54ebf6992fe4a318048542db66d3f7418bb9704ce9818fe8cb4c

Download Submit
memory/316-143-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/316-66-0x0000000000000000-mapping.dmp

Download
memory/316-119-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/316-117-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/316-82-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/316-73-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/316-155-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/316-158-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/428-134-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/428-170-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/428-70-0x0000000000000000-mapping.dmp

Download
memory/428-164-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/428-127-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/428-112-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/572-81-0x0000000000000000-mapping.dmp

Download
memory/912-152-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/912-132-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/912-122-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/912-67-0x0000000000000000-mapping.dmp

Download
memory/912-83-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/912-154-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/912-153-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/912-142-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/988-116-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/988-149-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/988-130-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/988-156-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/988-85-0x0000000000000000-mapping.dmp

Download
memory/988-159-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/988-121-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1056-71-0x0000000000000000-mapping.dmp

Download
memory/1056-133-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1056-147-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1056-129-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1056-123-0x0000000001EF0000-0x0000000001F70000-memory.dmp

Filesize
512KB

Download
memory/1056-111-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1216-58-0x00000000021C0000-0x00000000021D6000-memory.dmp

Filesize
88KB

Download
memory/1216-57-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/1216-61-0x000000001A7F0000-0x000000001A7FA000-memory.dmp

Filesize
40KB

Download
memory/1216-60-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/1216-55-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1216-62-0x000000001A880000-0x000000001A88E000-memory.dmp

Filesize
56KB

Download
memory/1216-54-0x00000000009B0000-0x0000000000C3E000-memory.dmp

Filesize
2.6MB

Download
memory/1216-59-0x000000001A7A0000-0x000000001A7F6000-memory.dmp

Filesize
344KB

Download
memory/1216-63-0x000000001A890000-0x000000001A898000-memory.dmp

Filesize
32KB

Download
memory/1216-65-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/1216-56-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1216-64-0x000000001A8A0000-0x000000001A8A8000-memory.dmp

Filesize
32KB

Download
memory/1320-125-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1320-166-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1320-140-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-168-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/1320-114-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1320-151-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/1320-76-0x0000000000000000-mapping.dmp

Download
memory/1448-167-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/1448-109-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1448-146-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1448-72-0x0000000000000000-mapping.dmp

Download
memory/1448-118-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1448-171-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1448-120-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1512-145-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1512-128-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1512-173-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1512-137-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-165-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1512-110-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1512-69-0x0000000000000000-mapping.dmp

Download
memory/1684-126-0x0000000001EF4000-0x0000000001EF7000-memory.dmp

Filesize
12KB

Download
memory/1684-169-0x0000000001EF4000-0x0000000001EF7000-memory.dmp

Filesize
12KB

Download
memory/1684-144-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1684-135-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1684-113-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1684-77-0x0000000000000000-mapping.dmp

Download
memory/1684-174-0x0000000001EFB000-0x0000000001F1A000-memory.dmp

Filesize
124KB

Download
memory/1716-161-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1716-138-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/1716-163-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1716-115-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/1716-124-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1716-87-0x0000000000000000-mapping.dmp

Download
memory/1928-97-0x0000000000000000-mapping.dmp

Download
memory/2036-172-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download
memory/2036-178-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/2036-177-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/2036-176-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/2036-175-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/2036-160-0x000007FEEB560000-0x000007FEEBF83000-memory.dmp

Filesize
10.1MB

Download
memory/2036-162-0x000007FEEDBB0000-0x000007FEEE70D000-memory.dmp

Filesize
11.4MB

Download
memory/2152-103-0x0000000000000000-mapping.dmp

Download
memory/2172-108-0x000000001ABC0000-0x000000001AC16000-memory.dmp

Filesize
344KB

Download
memory/2172-107-0x0000000000020000-0x00000000002AE000-memory.dmp

Filesize
2.6MB

Download
memory/2172-105-0x0000000000000000-mapping.dmp

Download
memory/2524-131-0x0000000000000000-mapping.dmp

Download
memory/2556-136-0x0000000000000000-mapping.dmp

Download