dcrat | 87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

General

Target

c2705b8b9562a559b785e347ead070c4.exe
Size

1.5MB
MD5

c2705b8b9562a559b785e347ead070c4
SHA1

74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a
SHA256

87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5
SHA512

28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e
SSDEEP

24576:Y2kx1r2DVrfP/LtFYnnq4xuO1N/EZbUtJSU5KlyR5:YV0V3RFh4g2N/EZ4B5KlyR

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	960	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	960	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1576-54-0x00000000009B0000-0x0000000000B3C000-memory.dmp	dcrat
C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe	dcrat
C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe	dcrat
behavioral1/memory/2356-68-0x0000000000FF0000-0x000000000117C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

2356 dwm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2356	dwm.exe

Drops file in Program Files directory 6 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\services.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\c5b4cb5e9653cc	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Windows Mail\de-DE\csrss.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Windows Mail\de-DE\886983d96e3d3e	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Microsoft Office\Office14\lsass.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Microsoft Office\Office14\6203df4a6bafc7	c2705b8b9562a559b785e347ead070c4.exe

Drops file in Windows directory 5 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\1036\WmiPrvSE.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Windows\Microsoft.NET\Framework64\1036\24dbde2999530e	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Windows\rescache\rc0002\spoolsv.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\6cb0b6c459d5d3	c2705b8b9562a559b785e347ead070c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
328	schtasks.exe
600	schtasks.exe
2068	schtasks.exe
1044	schtasks.exe
840	schtasks.exe
548	schtasks.exe
484	schtasks.exe
2004	schtasks.exe
1936	schtasks.exe
768	schtasks.exe
1748	schtasks.exe
2136	schtasks.exe
1760	schtasks.exe
1720	schtasks.exe
2180	schtasks.exe
1648	schtasks.exe
1624	schtasks.exe
280	schtasks.exe
1392	schtasks.exe
1096	schtasks.exe
548	schtasks.exe
2204	schtasks.exe
2228	schtasks.exe
1160	schtasks.exe
812	schtasks.exe
2156	schtasks.exe
268	schtasks.exe
1844	schtasks.exe
1952	schtasks.exe
1636	schtasks.exe
1328	schtasks.exe
1692	schtasks.exe
1168	schtasks.exe
300	schtasks.exe
1616	schtasks.exe
1944	schtasks.exe
436	schtasks.exe
1884	schtasks.exe
832	schtasks.exe
1552	schtasks.exe
1204	schtasks.exe
2272	schtasks.exe
2244	schtasks.exe
1884	schtasks.exe
2088	schtasks.exe
2292	schtasks.exe
1044	schtasks.exe
2012	schtasks.exe
1488	schtasks.exe
2316	schtasks.exe
1076	schtasks.exe
1476	schtasks.exe
2108	schtasks.exe
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exedwm.exe

pid	process
1576	c2705b8b9562a559b785e347ead070c4.exe
1576	c2705b8b9562a559b785e347ead070c4.exe
1576	c2705b8b9562a559b785e347ead070c4.exe
1576	c2705b8b9562a559b785e347ead070c4.exe
1576	c2705b8b9562a559b785e347ead070c4.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe
2356	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exedwm.exe

description pid process

Token: SeDebugPrivilege 1576 c2705b8b9562a559b785e347ead070c4.exe
Token: SeDebugPrivilege 2356 dwm.exe

description	pid	process
Token: SeDebugPrivilege	1576	c2705b8b9562a559b785e347ead070c4.exe
Token: SeDebugPrivilege	2356	dwm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exedwm.exe

description	pid	process	target process
PID 1576 wrote to memory of 2356	1576	c2705b8b9562a559b785e347ead070c4.exe	dwm.exe
PID 1576 wrote to memory of 2356	1576	c2705b8b9562a559b785e347ead070c4.exe	dwm.exe
PID 1576 wrote to memory of 2356	1576	c2705b8b9562a559b785e347ead070c4.exe	dwm.exe
PID 2356 wrote to memory of 2516	2356	dwm.exe	WScript.exe
PID 2356 wrote to memory of 2516	2356	dwm.exe	WScript.exe
PID 2356 wrote to memory of 2516	2356	dwm.exe	WScript.exe
PID 2356 wrote to memory of 2536	2356	dwm.exe	WScript.exe
PID 2356 wrote to memory of 2536	2356	dwm.exe	WScript.exe
PID 2356 wrote to memory of 2536	2356	dwm.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe
"C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681b3ffe-1b95-49f3-b96c-c3b322df1beb.vbs"
3⤵
PID:2516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56d4e36d-9a1e-4a71-ad86-e66a4988549a.vbs"
3⤵
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1036\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56d4e36d-9a1e-4a71-ad86-e66a4988549a.vbs
Filesize
511B

MD5
44e5664c6d74c1ee2c90946f55ae689f

SHA1
1642368f638e3f163b4c810c0b92242262b31a3f

SHA256
bd4429bca8e472aa1a7c50191e7dfe617dd3f1c8e1d1e214cd86cd295a064448

SHA512
bc3976ee5d4797a8aceed8fdb9028cca2ca00e62be59946207e4c81b4c43afc5ec84dc14c0d5ca069961b9bf89cf774546f0fbf54e645042e49f345d0c86582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\681b3ffe-1b95-49f3-b96c-c3b322df1beb.vbs
Filesize
735B

MD5
318839cae86c3d59ac8a8cf380eb2d1e

SHA1
f1abf1cd06fdd3e3fffabd544d4800b75fe18817

SHA256
c92652a5b8d16cc740d95e14b7130ba16e19c27372e3cdc480bd1fed5d9fcd32

SHA512
4b3163a733c31ebb58efadb59555d578c7c0fb656ce9ac263a5ddbee7daeca2ec9f9cc5cd3d7fdd42c3f11b9be09254fa843aa488bc33390f067ec01afdb7d83

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe
Filesize
1.5MB

MD5
c2705b8b9562a559b785e347ead070c4

SHA1
74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a

SHA256
87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

SHA512
28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\dwm.exe
Filesize
1.5MB

MD5
c2705b8b9562a559b785e347ead070c4

SHA1
74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a

SHA256
87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

SHA512
28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e

Download Submit
memory/1576-58-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1576-56-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/1576-60-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1576-61-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1576-62-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1576-63-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/1576-64-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/1576-59-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1576-54-0x00000000009B0000-0x0000000000B3C000-memory.dmp

Filesize
1.5MB

Download
memory/1576-57-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1576-55-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2356-65-0x0000000000000000-mapping.dmp

Download
memory/2356-68-0x0000000000FF0000-0x000000000117C000-memory.dmp

Filesize
1.5MB

Download
memory/2516-69-0x0000000000000000-mapping.dmp

Download
memory/2536-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads