dcrat | 7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

General

Target

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Size

1.9MB
MD5

3b15c55bae9fefd6585e43490f6bf231
SHA1

3e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA256

7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA512

43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
SSDEEP

49152:Mb3eYn9rEj80t2CttDha8bCgXLQHkfX68lSurk9JWBKM:MlnmwWttPbC+R68l89r

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
892	schtasks.exe
800	schtasks.exe
4380	schtasks.exe
3932	schtasks.exe
4780	schtasks.exe
1180	schtasks.exe
1912	schtasks.exe
4804	schtasks.exe
4764	schtasks.exe
1224	schtasks.exe
2084	schtasks.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
4436	schtasks.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\7a0fd90576e088	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
4820	schtasks.exe
4640	schtasks.exe
1112	schtasks.exe
4832	schtasks.exe
4720	schtasks.exe
4692	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\", \"C:\\Windows\\AppReadiness\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\", \"C:\\Windows\\AppReadiness\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\Default User\\smss.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\", \"C:\\Windows\\AppReadiness\\Idle.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	444	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3464-133-0x00000000006F0000-0x0000000000BF8000-memory.dmp	dcrat
behavioral2/memory/3464-141-0x00000000006F0000-0x0000000000BF8000-memory.dmp	dcrat
behavioral2/memory/2488-146-0x00000000007B0000-0x0000000000CB8000-memory.dmp	dcrat
behavioral2/memory/2488-147-0x00000000007B0000-0x0000000000CB8000-memory.dmp	dcrat
behavioral2/memory/2488-148-0x00000000007B0000-0x0000000000CB8000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

2488 Idle.exe

pid	process
2488	Idle.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\AppReadiness\\Idle.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\explorer.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sihost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\System.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\AppReadiness\\Idle.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeIdle.exe

pid	process
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe

Drops file in Program Files directory 5 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\7a0fd90576e088	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\System.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\27d1bcfc3c54e0	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Drops file in Windows directory 4 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\sihost.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\66fc9ff0ee96c2	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Windows\AppReadiness\Idle.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Windows\AppReadiness\6ccacd8608530f	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4820	schtasks.exe
4436	schtasks.exe
4804	schtasks.exe
1224	schtasks.exe
2084	schtasks.exe
3932	schtasks.exe
1912	schtasks.exe
4764	schtasks.exe
4720	schtasks.exe
4692	schtasks.exe
4832	schtasks.exe
4780	schtasks.exe
1180	schtasks.exe
800	schtasks.exe
4640	schtasks.exe
4380	schtasks.exe
1112	schtasks.exe
892	schtasks.exe

Modifies registry class 1 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeIdle.exe

pid	process
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe
2488	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid process

2488 Idle.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeIdle.exe

description pid process

Token: SeDebugPrivilege 3464 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Token: SeDebugPrivilege 2488 Idle.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeIdle.exe

pid process

3464 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
2488 Idle.exe

pid	process
2488	Idle.exe

description	pid	process
Token: SeDebugPrivilege	3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Token: SeDebugPrivilege	2488	Idle.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.execmd.exew32tm.exe

description	pid	process	target process
PID 3464 wrote to memory of 400	3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	cmd.exe
PID 3464 wrote to memory of 400	3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	cmd.exe
PID 3464 wrote to memory of 400	3464	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	cmd.exe
PID 400 wrote to memory of 2600	400	cmd.exe	w32tm.exe
PID 400 wrote to memory of 2600	400	cmd.exe	w32tm.exe
PID 400 wrote to memory of 2600	400	cmd.exe	w32tm.exe
PID 2600 wrote to memory of 1772	2600	w32tm.exe	w32tm.exe
PID 2600 wrote to memory of 1772	2600	w32tm.exe	w32tm.exe
PID 400 wrote to memory of 2488	400	cmd.exe	Idle.exe
PID 400 wrote to memory of 2488	400	cmd.exe	Idle.exe
PID 400 wrote to memory of 2488	400	cmd.exe	Idle.exe

C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
"C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SYS1L0trOI.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1772

C:\Windows\AppReadiness\Idle.exe
"C:\Windows\AppReadiness\Idle.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppReadiness\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SYS1L0trOI.bat
Filesize
197B

MD5
5ffa3ad2239fa9b545bb5d6946888cde

SHA1
0bcfa01ac2e461ea64592dbb93f4ea60a73ce24c

SHA256
c02997afa0b04f9acdf840127e776b81524b18f40fffc6fa6a1d186a60c1bd12

SHA512
9fa265a391e4c75cb6048e2374c543c7454a6bf1d8718f42968f85c5e25d974fb69894dde14c2d284249c3b7ffb6bb2faaa39cd86a98ba2946ecb7f6a644921c

Download Submit
C:\Windows\AppReadiness\Idle.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
C:\Windows\AppReadiness\Idle.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
memory/400-138-0x0000000000000000-mapping.dmp

Download
memory/1772-142-0x0000000000000000-mapping.dmp

Download
memory/2488-149-0x00000000007B0000-0x0000000000CB8000-memory.dmp

Filesize
5.0MB

Download
memory/2488-148-0x00000000007B0000-0x0000000000CB8000-memory.dmp

Filesize
5.0MB

Download
memory/2488-147-0x00000000007B0000-0x0000000000CB8000-memory.dmp

Filesize
5.0MB

Download
memory/2488-146-0x00000000007B0000-0x0000000000CB8000-memory.dmp

Filesize
5.0MB

Download
memory/2488-143-0x0000000000000000-mapping.dmp

Download
memory/2600-140-0x0000000000000000-mapping.dmp

Download
memory/3464-141-0x00000000006F0000-0x0000000000BF8000-memory.dmp

Filesize
5.0MB

Download
memory/3464-132-0x00000000006F0000-0x0000000000BF8000-memory.dmp

Filesize
5.0MB

Download
memory/3464-137-0x0000000006EF0000-0x0000000006F56000-memory.dmp

Filesize
408KB

Download
memory/3464-136-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/3464-135-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/3464-134-0x00000000068D0000-0x0000000006E74000-memory.dmp

Filesize
5.6MB

Download
memory/3464-133-0x00000000006F0000-0x0000000000BF8000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads