dcrat | 01e29f940622ea5058fe8d7ce27d65dad6b03375e933aae9332cb0794f157182

General

Target

a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe
Size

2.9MB
MD5

0bcc3265d6d56e45dab526559699b422
SHA1

7d39ccb90dd9bbfed5821fc0f99412c35a0042c0
SHA256

a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e
SHA512

9c9eaaf4bacb3db059b60807647c6aedfd3f00953ab29c35a13780df506774d4b04b678c6f6c7c3ae4ed5f8e07db0be48e76eff23b1c6a26454be55a47fa7bd9
SSDEEP

49152:UbA30uDZpwmT1XvIwCsVM69SorvgQM/Fngf2z5op/SyPfvxgN+B3Ah8:UbatphI3sVBdrvgj/Fgf2z5op/dPnxq+

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1472	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bridgeWebperf.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\chainFont\bridgeWebperf.exe	dcrat
C:\chainFont\bridgeWebperf.exe	dcrat
C:\chainFont\bridgeWebperf.exe	dcrat
\chainFont\bridgeWebperf.exe	dcrat
behavioral1/memory/1308-65-0x0000000000CF0000-0x0000000000F88000-memory.dmp	dcrat
C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe	dcrat
behavioral1/memory/1468-79-0x0000000000A20000-0x0000000000CB8000-memory.dmp	dcrat
C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

bridgeWebperf.exespoolsv.exe

pid process

1308 bridgeWebperf.exe
1468 spoolsv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1632 cmd.exe
1632 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1632	cmd.exe
1632	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exebridgeWebperf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 11 IoCs

Processes:

bridgeWebperf.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe	bridgeWebperf.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\ebf1f9fa8afd6d	bridgeWebperf.exe
File created	C:\Program Files\VideoLAN\VLC\skins\conhost.exe	bridgeWebperf.exe
File created	C:\Program Files\VideoLAN\VLC\skins\088424020bedd6	bridgeWebperf.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe	bridgeWebperf.exe
File created	C:\Program Files\Microsoft Games\csrss.exe	bridgeWebperf.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe	bridgeWebperf.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\f3b6ecef712a24	bridgeWebperf.exe
File created	C:\Program Files\Microsoft Games\886983d96e3d3e	bridgeWebperf.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe	bridgeWebperf.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\b75386f1303e64	bridgeWebperf.exe

Drops file in Windows directory 4 IoCs

Processes:

bridgeWebperf.exe

description	ioc	process
File created	C:\Windows\RemotePackages\RemoteDesktops\bridgeWebperf.exe	bridgeWebperf.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\24ec23274f55a8	bridgeWebperf.exe
File created	C:\Windows\Offline Web Pages\conhost.exe	bridgeWebperf.exe
File created	C:\Windows\Offline Web Pages\088424020bedd6	bridgeWebperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1376	schtasks.exe
980	schtasks.exe
292	schtasks.exe
956	schtasks.exe
2024	schtasks.exe
904	schtasks.exe
1972	schtasks.exe
1368	schtasks.exe
1892	schtasks.exe
1156	schtasks.exe
1688	schtasks.exe
944	schtasks.exe
1144	schtasks.exe
1620	schtasks.exe
1272	schtasks.exe
1020	schtasks.exe
1588	schtasks.exe
1988	schtasks.exe
1580	schtasks.exe
1668	schtasks.exe
1684	schtasks.exe
1604	schtasks.exe
1820	schtasks.exe
548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

bridgeWebperf.exespoolsv.exe

pid	process
1308	bridgeWebperf.exe
1308	bridgeWebperf.exe
1308	bridgeWebperf.exe
1308	bridgeWebperf.exe
1308	bridgeWebperf.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeWebperf.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 1308 bridgeWebperf.exe
Token: SeDebugPrivilege 1468 spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1308	bridgeWebperf.exe
Token: SeDebugPrivilege	1468	spoolsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exeWScript.execmd.exebridgeWebperf.exe

description	pid	process	target process
PID 1056 wrote to memory of 1676	1056	a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe	WScript.exe
PID 1056 wrote to memory of 1676	1056	a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe	WScript.exe
PID 1056 wrote to memory of 1676	1056	a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe	WScript.exe
PID 1056 wrote to memory of 1676	1056	a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe	WScript.exe
PID 1676 wrote to memory of 1632	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1632	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1632	1676	WScript.exe	cmd.exe
PID 1676 wrote to memory of 1632	1676	WScript.exe	cmd.exe
PID 1632 wrote to memory of 1308	1632	cmd.exe	bridgeWebperf.exe
PID 1632 wrote to memory of 1308	1632	cmd.exe	bridgeWebperf.exe
PID 1632 wrote to memory of 1308	1632	cmd.exe	bridgeWebperf.exe
PID 1632 wrote to memory of 1308	1632	cmd.exe	bridgeWebperf.exe
PID 1308 wrote to memory of 1468	1308	bridgeWebperf.exe	spoolsv.exe
PID 1308 wrote to memory of 1468	1308	bridgeWebperf.exe	spoolsv.exe
PID 1308 wrote to memory of 1468	1308	bridgeWebperf.exe	spoolsv.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

bridgeWebperf.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgeWebperf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe
"C:\Users\Admin\AppData\Local\Temp\a94aca257665bcea149485ab8facd158b5aa6d7c0885b68b56d1a97293dc663e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainFont\f6LEq510ArPb.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\chainFont\im4gEs99.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\chainFont\bridgeWebperf.exe
"C:\chainFont\bridgeWebperf.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1308

C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe
"C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperfb" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\bridgeWebperf.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperf" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\bridgeWebperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeWebperfb" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\bridgeWebperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\bridgeWebperf.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\bridgeWebperf.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
C:\chainFont\f6LEq510ArPb.vbe
Filesize
194B

MD5
9b1731fd52f1093ce5d2646806bb0f67

SHA1
1829c42c07b61f794cd6aa78d97c362ff435397d

SHA256
0eff669ac70c9c276b1e7347ccc209c53a0a44051a9db21670bf77e84f8b06be

SHA512
97c71cf1b9250292e723789c1720b10efe9be0154c4ec991b6d04914a57ce0140c1b19c26494ddefe2d2cf5830df6f99fefc43faf92c559ebe309fda93fe348e

Download Submit
C:\chainFont\im4gEs99.bat
Filesize
32B

MD5
0973a68ef3bb6e60eb01ed64d6dd4225

SHA1
420169a5dcb306495fe4373fbbfbf6faabcdb898

SHA256
49185aed14e2e8245ed5626349c3b32af69c6ddd4849e32364d81d80f2d63a90

SHA512
707f1fa491dd1a91b4274630762bad3aeb0c0ad520d4fd71548a10e1af2369cd6aa7872251fee40802dcf60ce551a4176a815d22c227623ca09c4ea75b1f19be

Download Submit
\chainFont\bridgeWebperf.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
\chainFont\bridgeWebperf.exe
Filesize
2.6MB

MD5
369f77ade5f7b913959a3ff904bf6ca7

SHA1
6c4a8f69c5e4d1ba0546831d93017cd4a34af158

SHA256
534aeebad1da26ed057bbae6592a6ec24a7f8d5fff962d1a20639be1566ba850

SHA512
36b79caf2faaddf2b59221f0c86b390318e34f86908c6d7d5a6f88d22f41a8a1c2d28a148fad3b8ea774d0cec54a1842c7b90dd5adaff04e56b1ab88223932e8

Download Submit
memory/1056-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1308-67-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/1308-73-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1308-66-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1308-63-0x0000000000000000-mapping.dmp

Download
memory/1308-68-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1308-69-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/1308-70-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1308-71-0x0000000000A60000-0x0000000000AB6000-memory.dmp

Filesize
344KB

Download
memory/1308-72-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/1308-65-0x0000000000CF0000-0x0000000000F88000-memory.dmp

Filesize
2.6MB

Download
memory/1308-74-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1308-75-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1468-76-0x0000000000000000-mapping.dmp

Download
memory/1468-79-0x0000000000A20000-0x0000000000CB8000-memory.dmp

Filesize
2.6MB

Download
memory/1468-80-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1468-81-0x00000000009A0000-0x00000000009F6000-memory.dmp

Filesize
344KB

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1676-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads