dcrat | 951200b548a2b83861ca55e027d5b1dae7def312228afbb401d21b5bc2edd7d4

General

Target

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
Size

1.3MB
MD5

33dbb523c14738bf48d314111c00906c
SHA1

83da7977d5b08038fac809b0f7c9a57c008f285e
SHA256

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e
SHA512

e1eadb73b5091d62afb166d81a244173073bca7f0c09fcfd22138f26705100dda11639eb662e16d2624bcc627805b46de540fa43e527835cec9a8515adc809e2
SSDEEP

24576:Qc1ovc94+x/XIzyRGezpFezu4GTVSbvaBTJpbvol3:FG3+xz9lFezFGT8bEda

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	5100	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	5100	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2144-133-0x0000000000150000-0x00000000002A2000-memory.dmp	dcrat
C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe	dcrat
C:\odt\dllhost.exe	dcrat
C:\odt\dllhost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1640 dllhost.exe

pid	process
1640	dllhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ea1d8f6d871115	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\SppExtComObj.exe	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\e1ef82546f0b02	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

Drops file in Windows directory 4 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

description	ioc	process
File created	C:\Windows\LiveKernelReports\backgroundTaskHost.exe	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Windows\LiveKernelReports\eddb19405b7ce1	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
File created	C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\ea9f0e6c9e2dcd	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3928	schtasks.exe
4868	schtasks.exe
4624	schtasks.exe
1888	schtasks.exe
552	schtasks.exe
2232	schtasks.exe
1760	schtasks.exe
2188	schtasks.exe
1732	schtasks.exe
4364	schtasks.exe
4844	schtasks.exe
320	schtasks.exe
2964	schtasks.exe
3908	schtasks.exe
3556	schtasks.exe
1828	schtasks.exe
208	schtasks.exe
2136	schtasks.exe
1072	schtasks.exe
2196	schtasks.exe
2080	schtasks.exe
1456	schtasks.exe
1040	schtasks.exe
3904	schtasks.exe
432	schtasks.exe
2640	schtasks.exe
2968	schtasks.exe
5036	schtasks.exe
2960	schtasks.exe
3400	schtasks.exe

Modifies registry class 1 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exedllhost.exe

pid	process
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
1640	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
Token: SeDebugPrivilege	1640	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.execmd.exe

description	pid	process	target process
PID 2144 wrote to memory of 3084	2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe	cmd.exe
PID 2144 wrote to memory of 3084	2144	af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe	cmd.exe
PID 3084 wrote to memory of 1068	3084	cmd.exe	w32tm.exe
PID 3084 wrote to memory of 1068	3084	cmd.exe	w32tm.exe
PID 3084 wrote to memory of 1640	3084	cmd.exe	dllhost.exe
PID 3084 wrote to memory of 1640	3084	cmd.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe
"C:\Users\Admin\AppData\Local\Temp\af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q1xMv6jDgI.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1068

C:\odt\dllhost.exe
"C:\odt\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\features\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Q1xMv6jDgI.bat

Filesize
183B

MD5
5ddec5d538d4772b68148b67814392d4

SHA1
66b427e546a9dd6eee4c35b280171bc75d36e6e3

SHA256
87cedfa7e828f4cee5e2264b8bf705affbcd958118ff31cad63a604412153a21

SHA512
c48b6e289abf2daab171e54c5faddb3877280a241bd99079d64e446cfd8ec7465ead85a0215593b11d3cbacd7d2d1bfbbaa2af47f38d552cd52df607f87259b0

Download Submit
C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\taskhostw.exe

Filesize
1.3MB

MD5
33dbb523c14738bf48d314111c00906c

SHA1
83da7977d5b08038fac809b0f7c9a57c008f285e

SHA256
af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e

SHA512
e1eadb73b5091d62afb166d81a244173073bca7f0c09fcfd22138f26705100dda11639eb662e16d2624bcc627805b46de540fa43e527835cec9a8515adc809e2

Download Submit
C:\odt\dllhost.exe

Filesize
1.3MB

MD5
33dbb523c14738bf48d314111c00906c

SHA1
83da7977d5b08038fac809b0f7c9a57c008f285e

SHA256
af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e

SHA512
e1eadb73b5091d62afb166d81a244173073bca7f0c09fcfd22138f26705100dda11639eb662e16d2624bcc627805b46de540fa43e527835cec9a8515adc809e2

Download Submit
C:\odt\dllhost.exe

Filesize
1.3MB

MD5
33dbb523c14738bf48d314111c00906c

SHA1
83da7977d5b08038fac809b0f7c9a57c008f285e

SHA256
af625576485e2091fbfa4568c3a3c546bd2a8f470cb69afa09f6bcf0ebac1d1e

SHA512
e1eadb73b5091d62afb166d81a244173073bca7f0c09fcfd22138f26705100dda11639eb662e16d2624bcc627805b46de540fa43e527835cec9a8515adc809e2

Download Submit
memory/1640-165-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/2144-133-0x0000000000150000-0x00000000002A2000-memory.dmp

Filesize
1.3MB

Download
memory/2144-134-0x000000001AEC0000-0x000000001AED0000-memory.dmp

Filesize
64KB

Download
memory/2144-135-0x000000001AED0000-0x000000001AF20000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads