dcrat | f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

General

Target

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Size

1.5MB
MD5

142fc3f98e2b78474c392c72a6e4b826
SHA1

85e4bf6f82e3bc640652df5982a937fa1457e541
SHA256

f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c
SHA512

f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964
SSDEEP

24576:fClaqwJlj0Wxxjb2dTGH7i3uOpK4KH/cKgphBhxqdvhm/Y3TnJ6f:fCqlj0exjxH7xn/WphBhg8A7J

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windows.Devices.AllJoyn\backgroundTaskHost.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
3188	schtasks.exe
1264	schtasks.exe
4432	schtasks.exe
1548	schtasks.exe
2464	schtasks.exe
4364	schtasks.exe
3764	schtasks.exe
2980	schtasks.exe
232	schtasks.exe
2040	schtasks.exe
1020	schtasks.exe
1240	schtasks.exe
3452	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4708-138-0x0000000000700000-0x0000000000824000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

3544 explorer.exe
916 explorer.exe

pid	process
3544	explorer.exe
916	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Drops file in System32 directory 9 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sethc\dwm.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\Windows.Devices.AllJoyn\backgroundTaskHost.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\sppinst\taskhostw.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\sppinst\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\xwizard\RuntimeBroker.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\xwizard\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.AllJoyn\backgroundTaskHost.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\Windows.Devices.AllJoyn\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SysWOW64\sethc\6cb0b6c459d5d3455a3da700e713f2e2529862ff	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeexplorer.exe

description	pid	process	target process
PID 2200 set thread context of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 set thread context of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 3544 set thread context of 916	3544	explorer.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\sppsvc.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Program Files\Uninstall Information\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Drops file in Windows directory 9 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
File opened for modification	C:\Windows\setupact\explorer.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\setupact\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\notepad\explorer.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\notepad\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\setupact\explorer.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\CbsTemp\Idle.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\CbsTemp\6ccacd8608530fba3a93e87ae2225c7032aa18c1	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\55b276f4edf653fe07efe8f1ecc32d3d195abd16	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3188	schtasks.exe
1020	schtasks.exe
232	schtasks.exe
3452	schtasks.exe
1548	schtasks.exe
2464	schtasks.exe
1264	schtasks.exe
1240	schtasks.exe
4364	schtasks.exe
2040	schtasks.exe
3764	schtasks.exe
4432	schtasks.exe
2980	schtasks.exe

Modifies registry class 1 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4892 PING.EXE

pid	process
4892	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeexplorer.exe

pid	process
4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
916	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Token: SeDebugPrivilege	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
Token: SeDebugPrivilege	916	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.execmd.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exeHEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe

description	pid	process	target process
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 2200 wrote to memory of 4708	2200	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 4708 wrote to memory of 1264	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1264	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1264	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1240	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1240	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1240	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 4364	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 4364	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 4364	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3188	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3188	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3188	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 2040	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 2040	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 2040	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1020	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1020	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1020	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 232	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 232	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 232	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3764	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3764	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3764	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3452	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3452	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 3452	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 4708 wrote to memory of 1412	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	cmd.exe
PID 4708 wrote to memory of 1412	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	cmd.exe
PID 4708 wrote to memory of 1412	4708	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	cmd.exe
PID 1412 wrote to memory of 1400	1412	cmd.exe	chcp.com
PID 1412 wrote to memory of 1400	1412	cmd.exe	chcp.com
PID 1412 wrote to memory of 1400	1412	cmd.exe	chcp.com
PID 1412 wrote to memory of 4892	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 4892	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 4892	1412	cmd.exe	PING.EXE
PID 1412 wrote to memory of 64	1412	cmd.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1412 wrote to memory of 64	1412	cmd.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 1412 wrote to memory of 64	1412	cmd.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 64 wrote to memory of 3788	64	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
PID 3788 wrote to memory of 4432	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 4432	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 4432	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 1548	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 1548	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 1548	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe
PID 3788 wrote to memory of 2980	3788	HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"{path}"
2⤵
- DcRat
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Devices.AllJoyn\backgroundTaskHost.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367" /sc ONLOGON /tr "'C:\Documents and Settings\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:3188

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\WmiPrvSE.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:1020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\sppinst\taskhostw.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\sethc\dwm.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:3764

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:3452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t4JYyhhynB.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1400

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:4892

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe
"{path}"
5⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\setupact\explorer.exe'" /rl HIGHEST /f
6⤵
- DcRat
- Creates scheduled task(s)
PID:4432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
6⤵
- DcRat
- Creates scheduled task(s)
PID:1548

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
6⤵
- DcRat
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\xwizard\RuntimeBroker.exe'" /rl HIGHEST /f
6⤵
- DcRat
- Creates scheduled task(s)
PID:2464

C:\Windows\setupact\explorer.exe
"C:\Windows\setupact\explorer.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3544

C:\Windows\setupact\explorer.exe
"{path}"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan-PSW.MSIL.Reline.gen-f45baeadbd367.exe.log
Filesize
418B

MD5
98eea38457c9976c0ec48b5a70964041

SHA1
281ec6ada096be89ade13852ca86edfe42ffe3c1

SHA256
4a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf

SHA512
adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log
Filesize
418B

MD5
98eea38457c9976c0ec48b5a70964041

SHA1
281ec6ada096be89ade13852ca86edfe42ffe3c1

SHA256
4a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf

SHA512
adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4JYyhhynB.bat
Filesize
249B

MD5
3181afdfec1f10df480ff78d1844a439

SHA1
a7a06ac4e647907abc57ee5b0e98be0d29a4b3b8

SHA256
2e43f0bdb0c90514b343722ec76b96a83d14cf576badd801fe81c7114a755b75

SHA512
65be1ada68f73360bd2a2e759717065d06ded1423fd1fa2fe907f41541c8b16c67c8db84c97d45929628d1c828734c5a7acc1ac2728bd878006ba825b6d5304b

Download Submit
C:\Windows\setupact\explorer.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
C:\Windows\setupact\explorer.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
C:\Windows\setupact\explorer.exe
Filesize
1.5MB

MD5
142fc3f98e2b78474c392c72a6e4b826

SHA1
85e4bf6f82e3bc640652df5982a937fa1457e541

SHA256
f45baeadbd3670a3d6f0e5e5dd53325269153dcd02195c8d98d1a49db8a6b46c

SHA512
f1c80e94cc0d3deb7302d98fd9349d90114ccf370ba29e89329797f43404daa38fedde38bf241e713b78da3c43fbefd32566b522bf89fef195dcd1442e4ae964

Download Submit
memory/64-153-0x0000000000000000-mapping.dmp

Download
memory/232-146-0x0000000000000000-mapping.dmp

Download
memory/916-163-0x0000000000000000-mapping.dmp

Download
memory/1020-145-0x0000000000000000-mapping.dmp

Download
memory/1240-141-0x0000000000000000-mapping.dmp

Download
memory/1264-140-0x0000000000000000-mapping.dmp

Download
memory/1400-151-0x0000000000000000-mapping.dmp

Download
memory/1412-149-0x0000000000000000-mapping.dmp

Download
memory/1548-157-0x0000000000000000-mapping.dmp

Download
memory/2040-144-0x0000000000000000-mapping.dmp

Download
memory/2200-132-0x0000000000C10000-0x0000000000D9A000-memory.dmp

Filesize
1.5MB

Download
memory/2200-133-0x0000000008730000-0x0000000008CD4000-memory.dmp

Filesize
5.6MB

Download
memory/2200-134-0x0000000006AF0000-0x0000000006B8C000-memory.dmp

Filesize
624KB

Download
memory/2464-159-0x0000000000000000-mapping.dmp

Download
memory/2980-158-0x0000000000000000-mapping.dmp

Download
memory/3188-143-0x0000000000000000-mapping.dmp

Download
memory/3452-148-0x0000000000000000-mapping.dmp

Download
memory/3544-160-0x0000000000000000-mapping.dmp

Download
memory/3764-147-0x0000000000000000-mapping.dmp

Download
memory/3788-154-0x0000000000000000-mapping.dmp

Download
memory/4364-142-0x0000000000000000-mapping.dmp

Download
memory/4432-156-0x0000000000000000-mapping.dmp

Download
memory/4708-138-0x0000000000700000-0x0000000000824000-memory.dmp

Filesize
1.1MB

Download
memory/4708-135-0x0000000000000000-mapping.dmp

Download
memory/4708-139-0x0000000004BE0000-0x0000000004C46000-memory.dmp

Filesize
408KB

Download
memory/4892-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads