dcrat | 4521deeecaaf651beb1282125e70cfe8deca459bd452781f55260988895b701a

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Size

1.3MB
MD5

794ffd3f15df798c9e24967d5601fcbc
SHA1

f601c2975a798b045aee9e68719b36ae8da01dae
SHA256

4521deeecaaf651beb1282125e70cfe8deca459bd452781f55260988895b701a
SHA512

b21990469cfe4313498a89debed5b3087b89acd860aff120b785048fe71cd4a5bcd56acc10314075eadf03645d608e23c11e8738901b8f805d4585e92d270392
SSDEEP

24576:/PLoxXw1dpqthRHHyJVnZBAQcNDAjAQbCjO6F4//PeSh+4:D1LqtaPZ5G2C6E4H0

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
4284	schtasks.exe
File created	C:\Windows\System32\duser\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
2504	schtasks.exe
3772	schtasks.exe
2004	schtasks.exe
2412	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\C_1026\\backgroundTaskHost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
3148	schtasks.exe
2244	schtasks.exe
2452	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\BluetoothApis\\dllhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\duser\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mfaudiocnv\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
3360	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
3760	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\HNetCfgClient\\fontdrvhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
1788	schtasks.exe
3452	schtasks.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4848	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5032-132-0x0000000000230000-0x000000000038C000-memory.dmp	dcrat
C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe	dcrat
C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4072 RuntimeBroker.exe

pid	process
4072	RuntimeBroker.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mfaudiocnv\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\spu\\WaaSMedicAgent.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\PrintHood\\spoolsv.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartUI\\StartMenuExperienceHost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\C_1026\\backgroundTaskHost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\BluetoothApis\\dllhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\StorSvc\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DefaultHrtfs\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wctEB0B\\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\duser\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\HNetCfgClient\\fontdrvhost.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\RuntimeBroker.exe\""	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Drops file in System32 directory 16 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
File created	C:\Windows\System32\StorSvc\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\DefaultHrtfs\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\duser\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\C_1026\backgroundTaskHost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\HNetCfgClient\fontdrvhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\StorSvc\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File opened for modification	C:\Windows\System32\duser\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\BluetoothApis\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\HNetCfgClient\5b884080fd4f94e2695da25c503f9e33b9605b83	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\duser\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\BluetoothApis\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\C_1026\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\mfaudiocnv\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\System32\mfaudiocnv\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File opened for modification	C:\Windows\System32\StorSvc\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Drops file in Program Files directory 4 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\WaaSMedicAgent.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\c82b8037eab33d1fe33ed5c436875fcafdbefbee	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Drops file in Windows directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\55b276f4edf653fe07efe8f1ecc32d3d195abd16	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3760	schtasks.exe
2244	schtasks.exe
1788	schtasks.exe
2504	schtasks.exe
3772	schtasks.exe
3360	schtasks.exe
4284	schtasks.exe
2004	schtasks.exe
2412	schtasks.exe
3452	schtasks.exe
3148	schtasks.exe
2452	schtasks.exe

Modifies registry class 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeRuntimeBroker.exe

pid	process
5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
4532	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
4072	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Token: SeDebugPrivilege	4532	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
Token: SeDebugPrivilege	4072	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.execmd.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.execmd.exe

description	pid	process	target process
PID 5032 wrote to memory of 224	5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe	cmd.exe
PID 5032 wrote to memory of 224	5032	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe	cmd.exe
PID 224 wrote to memory of 2228	224	cmd.exe	chcp.com
PID 224 wrote to memory of 2228	224	cmd.exe	chcp.com
PID 224 wrote to memory of 3704	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 3704	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 4532	224	cmd.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
PID 224 wrote to memory of 4532	224	cmd.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
PID 4532 wrote to memory of 4608	4532	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe	cmd.exe
PID 4532 wrote to memory of 4608	4532	HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe	cmd.exe
PID 4608 wrote to memory of 3460	4608	cmd.exe	chcp.com
PID 4608 wrote to memory of 3460	4608	cmd.exe	chcp.com
PID 4608 wrote to memory of 4836	4608	cmd.exe	w32tm.exe
PID 4608 wrote to memory of 4836	4608	cmd.exe	w32tm.exe
PID 4608 wrote to memory of 4072	4608	cmd.exe	RuntimeBroker.exe
PID 4608 wrote to memory of 4072	4608	cmd.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ucsiuxiTg0.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2228

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe"
3⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6sjEZPZBb.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3460

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:4836

C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe
"C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\duser\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\C_1026\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\BluetoothApis\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\HNetCfgClient\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mfaudiocnv\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\StorSvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\spu\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\wctEB0B\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HEUR-Trojan-Spy.MSIL.Stealer.gen-4521deeecaaf.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6sjEZPZBb.bat

Filesize
266B

MD5
48b10b3e167658ce7ff59f280da98702

SHA1
b6ea62748e44f9cd08d31f913c78167e692220d7

SHA256
b9073ee4f7b3fabddde11b98d7200d6b57374839b3abcc4494c26ed8a85c0942

SHA512
3437eaa7d5c12dae09bb1493724811aec46c291bd001e08dacc973f6379a31bc7aa4652305778f154509856c83d888088bad481494f673639b1976cc2e1cc65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucsiuxiTg0.bat

Filesize
299B

MD5
bba88d9ee594a959bca050086b0b28a0

SHA1
6014c69c6d1f85079dee6740447bd95c7387eb4a

SHA256
44c441d597a311e170b26e728a8fe45c0005c5a09f66cb25e180dfcd765e3ef9

SHA512
f962fc8d5de651949e1065492ebf7c7b9e3108021415683e6c776f8f6e0d674aea7ffd8733801e14f85dda5f36aaef14c7c05d60c7679211ec034dcb991f7b55

Download Submit
C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe

Filesize
1.3MB

MD5
794ffd3f15df798c9e24967d5601fcbc

SHA1
f601c2975a798b045aee9e68719b36ae8da01dae

SHA256
4521deeecaaf651beb1282125e70cfe8deca459bd452781f55260988895b701a

SHA512
b21990469cfe4313498a89debed5b3087b89acd860aff120b785048fe71cd4a5bcd56acc10314075eadf03645d608e23c11e8738901b8f805d4585e92d270392

Download Submit
C:\Windows\System32\DefaultHrtfs\RuntimeBroker.exe

Filesize
1.3MB

MD5
794ffd3f15df798c9e24967d5601fcbc

SHA1
f601c2975a798b045aee9e68719b36ae8da01dae

SHA256
4521deeecaaf651beb1282125e70cfe8deca459bd452781f55260988895b701a

SHA512
b21990469cfe4313498a89debed5b3087b89acd860aff120b785048fe71cd4a5bcd56acc10314075eadf03645d608e23c11e8738901b8f805d4585e92d270392

Download Submit
memory/224-134-0x0000000000000000-mapping.dmp

Download
memory/2228-136-0x0000000000000000-mapping.dmp

Download
memory/3460-145-0x0000000000000000-mapping.dmp

Download
memory/3704-138-0x0000000000000000-mapping.dmp

Download
memory/4072-150-0x00007FFBFE930000-0x00007FFBFF3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-151-0x00007FFBFE930000-0x00007FFBFF3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-147-0x0000000000000000-mapping.dmp

Download
memory/4532-141-0x00007FFBFEC40000-0x00007FFBFF701000-memory.dmp

Filesize
10.8MB

Download
memory/4532-139-0x0000000000000000-mapping.dmp

Download
memory/4532-144-0x00007FFBFEC40000-0x00007FFBFF701000-memory.dmp

Filesize
10.8MB

Download
memory/4608-142-0x0000000000000000-mapping.dmp

Download
memory/4836-146-0x0000000000000000-mapping.dmp

Download
memory/5032-132-0x0000000000230000-0x000000000038C000-memory.dmp

Filesize
1.4MB

Download
memory/5032-137-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmp

Filesize
10.8MB

Download
memory/5032-133-0x00007FFBFEF90000-0x00007FFBFFA51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads