dcrat | 87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

General

Target

c2705b8b9562a559b785e347ead070c4.exe
Size

1.5MB
MD5

c2705b8b9562a559b785e347ead070c4
SHA1

74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a
SHA256

87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5
SHA512

28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e
SSDEEP

24576:Y2kx1r2DVrfP/LtFYnnq4xuO1N/EZbUtJSU5KlyR5:YV0V3RFh4g2N/EZ4B5KlyR

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4268	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4268	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4224-132-0x0000000000890000-0x0000000000A1C000-memory.dmp	dcrat
C:\Windows\Performance\OfficeClickToRun.exe	dcrat
C:\Windows\Performance\OfficeClickToRun.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

780 OfficeClickToRun.exe

pid	process
780	OfficeClickToRun.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c2705b8b9562a559b785e347ead070c4.exec2705b8b9562a559b785e347ead070c4.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c2705b8b9562a559b785e347ead070c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c2705b8b9562a559b785e347ead070c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exec2705b8b9562a559b785e347ead070c4.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\55b276f4edf653	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Internet Explorer\de-DE\9e8d7a4ca61bd9	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Mozilla Firefox\winlogon.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Mozilla Firefox\cc11b995f2a76d	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files\Internet Explorer\de-DE\RuntimeBroker.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	c2705b8b9562a559b785e347ead070c4.exe

Drops file in Windows directory 3 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exe

description	ioc	process
File created	C:\Windows\Performance\OfficeClickToRun.exe	c2705b8b9562a559b785e347ead070c4.exe
File opened for modification	C:\Windows\Performance\OfficeClickToRun.exe	c2705b8b9562a559b785e347ead070c4.exe
File created	C:\Windows\Performance\e6c9b481da804f	c2705b8b9562a559b785e347ead070c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4464	schtasks.exe
1176	schtasks.exe
1364	schtasks.exe
4296	schtasks.exe
4364	schtasks.exe
5112	schtasks.exe
4120	schtasks.exe
2444	schtasks.exe
2484	schtasks.exe
460	schtasks.exe
652	schtasks.exe
4156	schtasks.exe
344	schtasks.exe
4264	schtasks.exe
4512	schtasks.exe
3412	schtasks.exe
728	schtasks.exe
1244	schtasks.exe
2360	schtasks.exe
1308	schtasks.exe
1716	schtasks.exe
1620	schtasks.exe
3484	schtasks.exe
2984	schtasks.exe
2400	schtasks.exe
3752	schtasks.exe
4532	schtasks.exe
788	schtasks.exe
4448	schtasks.exe
2032	schtasks.exe

Modifies registry class 2 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	c2705b8b9562a559b785e347ead070c4.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exec2705b8b9562a559b785e347ead070c4.exeOfficeClickToRun.exe

pid	process
4224	c2705b8b9562a559b785e347ead070c4.exe
3844	c2705b8b9562a559b785e347ead070c4.exe
3844	c2705b8b9562a559b785e347ead070c4.exe
3844	c2705b8b9562a559b785e347ead070c4.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe
780	OfficeClickToRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

780 OfficeClickToRun.exe

pid	process
780	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.exec2705b8b9562a559b785e347ead070c4.exeOfficeClickToRun.exe

description	pid	process
Token: SeDebugPrivilege	4224	c2705b8b9562a559b785e347ead070c4.exe
Token: SeDebugPrivilege	3844	c2705b8b9562a559b785e347ead070c4.exe
Token: SeDebugPrivilege	780	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c2705b8b9562a559b785e347ead070c4.execmd.exec2705b8b9562a559b785e347ead070c4.exeOfficeClickToRun.exe

description	pid	process	target process
PID 4224 wrote to memory of 3272	4224	c2705b8b9562a559b785e347ead070c4.exe	cmd.exe
PID 4224 wrote to memory of 3272	4224	c2705b8b9562a559b785e347ead070c4.exe	cmd.exe
PID 3272 wrote to memory of 2376	3272	cmd.exe	w32tm.exe
PID 3272 wrote to memory of 2376	3272	cmd.exe	w32tm.exe
PID 3272 wrote to memory of 3844	3272	cmd.exe	c2705b8b9562a559b785e347ead070c4.exe
PID 3272 wrote to memory of 3844	3272	cmd.exe	c2705b8b9562a559b785e347ead070c4.exe
PID 3844 wrote to memory of 780	3844	c2705b8b9562a559b785e347ead070c4.exe	OfficeClickToRun.exe
PID 3844 wrote to memory of 780	3844	c2705b8b9562a559b785e347ead070c4.exe	OfficeClickToRun.exe
PID 780 wrote to memory of 824	780	OfficeClickToRun.exe	WScript.exe
PID 780 wrote to memory of 824	780	OfficeClickToRun.exe	WScript.exe
PID 780 wrote to memory of 3204	780	OfficeClickToRun.exe	WScript.exe
PID 780 wrote to memory of 3204	780	OfficeClickToRun.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe
"C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mVhHsYW9nd.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe
"C:\Users\Admin\AppData\Local\Temp\c2705b8b9562a559b785e347ead070c4.exe"
3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\Performance\OfficeClickToRun.exe
"C:\Windows\Performance\OfficeClickToRun.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62149172-9eb1-4a51-ab16-c97aa326e089.vbs"
5⤵
PID:824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c1c408c-d976-4d56-8555-eaa60b9fab6f.vbs"
5⤵
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c2705b8b9562a559b785e347ead070c4c" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\c2705b8b9562a559b785e347ead070c4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c2705b8b9562a559b785e347ead070c4" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\c2705b8b9562a559b785e347ead070c4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c2705b8b9562a559b785e347ead070c4c" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\c2705b8b9562a559b785e347ead070c4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Performance\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c2705b8b9562a559b785e347ead070c4.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c1c408c-d976-4d56-8555-eaa60b9fab6f.vbs

Filesize
495B

MD5
e1f12fcaefd1f207a1dc657feeef458a

SHA1
f29535c6288af8b939783786b1902a1b8f86f106

SHA256
aaf361890c885f5bc6756ba14cada49760d05909a2a53ce613e93d26c2e4de8f

SHA512
5f196c940d2669f532d36593826298b69d3842ec297c4ea2954195a25aa5ff05d1d2b5476b1c693d8f3d932af4cde5532f02c70a39865e295c73204586468abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\62149172-9eb1-4a51-ab16-c97aa326e089.vbs

Filesize
718B

MD5
2ca7fe0d00c8de573b90eb841690499d

SHA1
49016560b92a30025c0077f5ad86c7d2896d6235

SHA256
59b14f18e8da705bcc13f3a670eb9b4a418cb7cca7dbbb6a7d624ca46ee5603b

SHA512
349b90c95d34a7cd1842dda2c6c4af7c160a43efc3bf0a98e2e3da0b60797f7a80ad34808d6cb672967a82fefa0e607f6f62d286f3191deb4df39b4c7468e758

Download Submit
C:\Users\Admin\AppData\Local\Temp\mVhHsYW9nd.bat

Filesize
235B

MD5
e8d80942ca230a6d88508a6e2840374c

SHA1
dca0d3cf322560dc87d0d78aab76fa8f380650fb

SHA256
8a7827f8e55605353a160af9ef00d0bb919d13b11238fe8e858415e2b92ab72b

SHA512
af06066649b4b3b2ad614d7c76d8df277d2c2a2d1d8c2e0fd0d18182f3dcae22ce1a08184fe3b4012e0be7bc71554f70573624c1bfbf69c27abd2ebd312dc40c

Download Submit
C:\Windows\Performance\OfficeClickToRun.exe

Filesize
1.5MB

MD5
c2705b8b9562a559b785e347ead070c4

SHA1
74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a

SHA256
87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

SHA512
28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e

Download Submit
C:\Windows\Performance\OfficeClickToRun.exe

Filesize
1.5MB

MD5
c2705b8b9562a559b785e347ead070c4

SHA1
74e5efad74eeb3e80c689c2f2fa4c8e19d55b94a

SHA256
87ade58bfd0c4657778eccf90ffb4409c61012dcd2134c708bebe60a872599b5

SHA512
28764caefea9a2e23e5793c9118f5f7926d9e1d507f237f004a16fb81dfbfddd4c33c11843ef6eb9fa655d85443b032b878a88cc7cb9c379292e8813012bb83e

Download Submit
memory/780-147-0x00007FF8B3CB0000-0x00007FF8B4771000-memory.dmp

Filesize
10.8MB

Download
memory/780-152-0x00007FF8B3CB0000-0x00007FF8B4771000-memory.dmp

Filesize
10.8MB

Download
memory/780-143-0x0000000000000000-mapping.dmp

Download
memory/824-148-0x0000000000000000-mapping.dmp

Download
memory/2376-138-0x0000000000000000-mapping.dmp

Download
memory/3204-149-0x0000000000000000-mapping.dmp

Download
memory/3272-136-0x0000000000000000-mapping.dmp

Download
memory/3844-142-0x00007FF8B3CB0000-0x00007FF8B4771000-memory.dmp

Filesize
10.8MB

Download
memory/3844-146-0x00007FF8B3CB0000-0x00007FF8B4771000-memory.dmp

Filesize
10.8MB

Download
memory/3844-140-0x0000000000000000-mapping.dmp

Download
memory/4224-132-0x0000000000890000-0x0000000000A1C000-memory.dmp

Filesize
1.5MB

Download
memory/4224-135-0x000000001CF30000-0x000000001D458000-memory.dmp

Filesize
5.2MB

Download
memory/4224-139-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmp

Filesize
10.8MB

Download
memory/4224-134-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmp

Filesize
10.8MB

Download
memory/4224-133-0x000000001C7A0000-0x000000001C7F0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads