dcrat | 576437a881af98afed6680cd7fe0ae52adb87a528ece6d367eaf436765fe1d9e

General

Target

pTdbWeYTRtzW2gi.exe
Size

1.1MB
MD5

8496c268e5795f8734c886bf68ee141c
SHA1

dc642bd6fc6fad71ab5ac10cc35a040ad993db5c
SHA256

576437a881af98afed6680cd7fe0ae52adb87a528ece6d367eaf436765fe1d9e
SHA512

f7b7681352174ec9096fdf0dca8bbfaabac219cbea6f134fcd139cc77b52f861cc2034f8dda8c7d945c57ed6777fc193805ada1b95f8f2408cfd023c77a2d026
SSDEEP

12288:t6NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:t6NReJXJIwvJgVQSoPEzKkLXa

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

pTdbWeYTRtzW2gi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\", \"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\", \"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\", \"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\", \"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\smss.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\", \"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Google\\Policies\\smss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\OfficeClickToRun.exe\""	pTdbWeYTRtzW2gi.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1448	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4328-132-0x00000000000B0000-0x00000000001DC000-memory.dmp	dcrat
C:\Program Files (x86)\Google\Policies\smss.exe	dcrat
C:\Program Files (x86)\Google\Policies\smss.exe	dcrat
behavioral2/memory/1392-139-0x0000000000460000-0x000000000058C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

1392 smss.exe

pid	process
1392	smss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pTdbWeYTRtzW2gi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	pTdbWeYTRtzW2gi.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pTdbWeYTRtzW2gi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\OfficeClickToRun.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\OfficeClickToRun.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Policies\\smss.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\LiveKernelReports\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Policies\\smss.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Templates\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\RuntimeBroker.exe\""	pTdbWeYTRtzW2gi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	pTdbWeYTRtzW2gi.exe

Drops file in Program Files directory 12 IoCs

Processes:

pTdbWeYTRtzW2gi.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	pTdbWeYTRtzW2gi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\e6c9b481da804f	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\RCX9006.tmp	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\OfficeClickToRun.exe	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\smss.exe	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX9288.tmp	pTdbWeYTRtzW2gi.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	pTdbWeYTRtzW2gi.exe
File created	C:\Program Files (x86)\Google\Policies\smss.exe	pTdbWeYTRtzW2gi.exe
File created	C:\Program Files (x86)\Google\Policies\69ddcba757bf72	pTdbWeYTRtzW2gi.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\OfficeClickToRun.exe	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX85FF.tmp	pTdbWeYTRtzW2gi.exe

Drops file in Windows directory 4 IoCs

Processes:

pTdbWeYTRtzW2gi.exe

description	ioc	process
File created	C:\Windows\LiveKernelReports\fontdrvhost.exe	pTdbWeYTRtzW2gi.exe
File created	C:\Windows\LiveKernelReports\5b884080fd4f94	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX8881.tmp	pTdbWeYTRtzW2gi.exe
File opened for modification	C:\Windows\LiveKernelReports\fontdrvhost.exe	pTdbWeYTRtzW2gi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3976	schtasks.exe
1664	schtasks.exe
3388	schtasks.exe
2712	schtasks.exe
3096	schtasks.exe
2400	schtasks.exe
2540	schtasks.exe
4588	schtasks.exe
1288	schtasks.exe
2804	schtasks.exe
4628	schtasks.exe
2500	schtasks.exe
3496	schtasks.exe
1836	schtasks.exe
3068	schtasks.exe
4656	schtasks.exe
3440	schtasks.exe
4540	schtasks.exe
2808	schtasks.exe
4620	schtasks.exe
1004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pTdbWeYTRtzW2gi.exesmss.exe

pid process

4328 pTdbWeYTRtzW2gi.exe
4328 pTdbWeYTRtzW2gi.exe
4328 pTdbWeYTRtzW2gi.exe
1392 smss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pTdbWeYTRtzW2gi.exesmss.exe

description pid process

Token: SeDebugPrivilege 4328 pTdbWeYTRtzW2gi.exe
Token: SeDebugPrivilege 1392 smss.exe

pid	process
4328	pTdbWeYTRtzW2gi.exe
4328	pTdbWeYTRtzW2gi.exe
4328	pTdbWeYTRtzW2gi.exe
1392	smss.exe

description	pid	process
Token: SeDebugPrivilege	4328	pTdbWeYTRtzW2gi.exe
Token: SeDebugPrivilege	1392	smss.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

pTdbWeYTRtzW2gi.exe

description	pid	process	target process
PID 4328 wrote to memory of 1392	4328	pTdbWeYTRtzW2gi.exe	smss.exe
PID 4328 wrote to memory of 1392	4328	pTdbWeYTRtzW2gi.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\pTdbWeYTRtzW2gi.exe
"C:\Users\Admin\AppData\Local\Temp\pTdbWeYTRtzW2gi.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Program Files (x86)\Google\Policies\smss.exe
"C:\Program Files (x86)\Google\Policies\smss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Policies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Policies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Policies\smss.exe
Filesize
1.1MB

MD5
661d31ee1fd0ae280009dbe9eea74e48

SHA1
0ba69113cf0b42774eb84cc9bfe6d793fc0290db

SHA256
d8a75ab442421c30d5c08c9426792fd935453345b93ab4bc9752cc261f970529

SHA512
e90ea07216dfd45e8c0d52978e7de03d5388b1ed5f36d07a6c40e7f6add59686e185725b990eb427f89caa05e9b7eb70ce4a1a202d0f0e376f532fa79d96a151

Download Submit
C:\Program Files (x86)\Google\Policies\smss.exe
Filesize
1.1MB

MD5
661d31ee1fd0ae280009dbe9eea74e48

SHA1
0ba69113cf0b42774eb84cc9bfe6d793fc0290db

SHA256
d8a75ab442421c30d5c08c9426792fd935453345b93ab4bc9752cc261f970529

SHA512
e90ea07216dfd45e8c0d52978e7de03d5388b1ed5f36d07a6c40e7f6add59686e185725b990eb427f89caa05e9b7eb70ce4a1a202d0f0e376f532fa79d96a151

Download Submit
memory/1392-136-0x0000000000000000-mapping.dmp

Download
memory/1392-139-0x0000000000460000-0x000000000058C000-memory.dmp

Filesize
1.2MB

Download
memory/1392-141-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

Filesize
10.8MB

Download
memory/1392-142-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

Filesize
10.8MB

Download
memory/1392-143-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

Filesize
10.8MB

Download
memory/4328-132-0x00000000000B0000-0x00000000001DC000-memory.dmp

Filesize
1.2MB

Download
memory/4328-133-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

Filesize
10.8MB

Download
memory/4328-134-0x00000000023E0000-0x0000000002430000-memory.dmp

Filesize
320KB

Download
memory/4328-135-0x000000001D2E0000-0x000000001D808000-memory.dmp

Filesize
5.2MB

Download
memory/4328-140-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads