dcrat | abc85c0172af7fd9f02deb9c2d39a6416820f94ab98683b815566cee52afac16

General

Target

ca9e6c2fd24c050a88fa6435a2352665.exe
Size

2.6MB
MD5

ca9e6c2fd24c050a88fa6435a2352665
SHA1

d653a50565cba4820e118a8c80dcf15129623d4d
SHA256

abc85c0172af7fd9f02deb9c2d39a6416820f94ab98683b815566cee52afac16
SHA512

5ab9b9469371d50d6c86834a6553de9feeadb3f02e7369ed46c02f77cbf8832293639dd973ef921fc70b6be42dd49289e8bbccb83cb0364d3a7d670f3fdbe3a9
SSDEEP

49152:ObA3+EwmizGbCD5mKTnkPCCR9JLQ7v4p1P05BVKNiWV053rwEJMZa:ObOwmiUoX7kPCCR/Li4p1IVKNk53rwEL

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1424	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
C:\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
C:\reviewintohostDllSvc\Chaindriverdll.exe	dcrat
behavioral1/memory/764-65-0x0000000000D60000-0x0000000000F98000-memory.dmp	dcrat
C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe	dcrat
C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe	dcrat
behavioral1/memory/1732-73-0x00000000003E0000-0x0000000000618000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

Chaindriverdll.exelsass.exe

pid process

764 Chaindriverdll.exe
1732 lsass.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1712 cmd.exe
1712 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1712	cmd.exe
1712	cmd.exe

Drops file in Program Files directory 4 IoCs

Processes:

Chaindriverdll.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\cc11b995f2a76d	Chaindriverdll.exe
File created	C:\Program Files (x86)\Uninstall Information\System.exe	Chaindriverdll.exe
File created	C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0	Chaindriverdll.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe	Chaindriverdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1160	schtasks.exe
2020	schtasks.exe
784	schtasks.exe
1912	schtasks.exe
692	schtasks.exe
840	schtasks.exe
1260	schtasks.exe
596	schtasks.exe
1916	schtasks.exe
1636	schtasks.exe
1616	schtasks.exe
2036	schtasks.exe
1100	schtasks.exe
1964	schtasks.exe
1316	schtasks.exe
2040	schtasks.exe
836	schtasks.exe
616	schtasks.exe
1512	schtasks.exe
304	schtasks.exe
596	schtasks.exe
1668	schtasks.exe
1172	schtasks.exe
980	schtasks.exe
800	schtasks.exe
1084	schtasks.exe
992	schtasks.exe
472	schtasks.exe
1260	schtasks.exe
968	schtasks.exe
276	schtasks.exe
1012	schtasks.exe
1672	schtasks.exe
1356	schtasks.exe
1900	schtasks.exe
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Chaindriverdll.exelsass.exe

pid	process
764	Chaindriverdll.exe
764	Chaindriverdll.exe
764	Chaindriverdll.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe
1732	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Chaindriverdll.exelsass.exe

description pid process

Token: SeDebugPrivilege 764 Chaindriverdll.exe
Token: SeDebugPrivilege 1732 lsass.exe

description	pid	process
Token: SeDebugPrivilege	764	Chaindriverdll.exe
Token: SeDebugPrivilege	1732	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ca9e6c2fd24c050a88fa6435a2352665.exeWScript.execmd.exeChaindriverdll.exe

description	pid	process	target process
PID 2028 wrote to memory of 1428	2028	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 2028 wrote to memory of 1428	2028	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 2028 wrote to memory of 1428	2028	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 2028 wrote to memory of 1428	2028	ca9e6c2fd24c050a88fa6435a2352665.exe	WScript.exe
PID 1428 wrote to memory of 1712	1428	WScript.exe	cmd.exe
PID 1428 wrote to memory of 1712	1428	WScript.exe	cmd.exe
PID 1428 wrote to memory of 1712	1428	WScript.exe	cmd.exe
PID 1428 wrote to memory of 1712	1428	WScript.exe	cmd.exe
PID 1712 wrote to memory of 764	1712	cmd.exe	Chaindriverdll.exe
PID 1712 wrote to memory of 764	1712	cmd.exe	Chaindriverdll.exe
PID 1712 wrote to memory of 764	1712	cmd.exe	Chaindriverdll.exe
PID 1712 wrote to memory of 764	1712	cmd.exe	Chaindriverdll.exe
PID 764 wrote to memory of 1732	764	Chaindriverdll.exe	lsass.exe
PID 764 wrote to memory of 1732	764	Chaindriverdll.exe	lsass.exe
PID 764 wrote to memory of 1732	764	Chaindriverdll.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\ca9e6c2fd24c050a88fa6435a2352665.exe
"C:\Users\Admin\AppData\Local\Temp\ca9e6c2fd24c050a88fa6435a2352665.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\reviewintohostDllSvc\hK5FNabO14OlK1cjw5m.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\reviewintohostDllSvc\RgJcLnW865IX.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\reviewintohostDllSvc\Chaindriverdll.exe
"C:\reviewintohostDllSvc\Chaindriverdll.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe
"C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\reviewintohostDllSvc\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\reviewintohostDllSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\reviewintohostDllSvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsass.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
C:\reviewintohostDllSvc\RgJcLnW865IX.bat
Filesize
44B

MD5
93d7ee0683bafe1efc043cfd7bf8ca8f

SHA1
8e38233ffc87bea1d0b479dcee37defc788a1141

SHA256
1eb4ad6004d70625a5b8ddc143093b93ce7a59abb8fac01b315e4815d1dcfd1d

SHA512
046d3b8601772431c7aa060186e3f9bb358a479d35af4557e3b2820aab01c8429a3df032141f2feb4cd9fa87e74e8513a168fe45d0085474fcc0a93c1cd3ab71

Download Submit
C:\reviewintohostDllSvc\hK5FNabO14OlK1cjw5m.vbe
Filesize
209B

MD5
1154819bdb0f3db2baea3f24c737fb1e

SHA1
ee6440e6dde7bf316764066769308ce27d6b12b4

SHA256
83cb8703cd9dadf0d1147f1fc0b7791935c41e037c4eb30cb672901ccb0e6769

SHA512
402cbb74d62523179f20a12b4fcb2706c119f8054e6ff870bd83e73ce3aacca490001b0a2b2da59affe4fa09491ff72bc27c6e4d95fad43cc12721a26c913ca4

Download Submit
\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
\reviewintohostDllSvc\Chaindriverdll.exe
Filesize
2.2MB

MD5
d6d0f424bfa5d2e7c336ea5caad9b170

SHA1
23d70bf4aefa973046b22c343fe9e42b9d4155a1

SHA256
7084a265c7a383a2e2e27c5a0d542f2aec2ea9ba1ca4bd34667996d715d37b27

SHA512
aa0fbd910bc326b7099a415c358aac21601deee404f2604126bb41ace1d2879220eacde34f32d337d52bf3c6707931500a70c8c26dfa95b34bf00e4d55b6ea1a

Download Submit
memory/764-67-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/764-63-0x0000000000000000-mapping.dmp

Download
memory/764-65-0x0000000000D60000-0x0000000000F98000-memory.dmp

Filesize
2.2MB

Download
memory/764-66-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/764-68-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/764-69-0x0000000000490000-0x00000000004E6000-memory.dmp

Filesize
344KB

Download
memory/1428-55-0x0000000000000000-mapping.dmp

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download
memory/1732-70-0x0000000000000000-mapping.dmp

Download
memory/1732-73-0x00000000003E0000-0x0000000000618000-memory.dmp

Filesize
2.2MB

Download
memory/2028-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads