dcrat | 747181eb459e73296a0a81eab34145111c29a6c2a3b5aa790bd9a4ec8137fa45

General

Target

80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe
Size

1.6MB
MD5

48b1cbb653ce28bed7653c6c574a2c37
SHA1

3482df3cacbe456fb1ee742d0c5eb85b39edea5c
SHA256

80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3
SHA512

32a4cb5a1645340e23302a9beef5be5596275683d54bc149ef3f6cd15dc94f6b34244e40c647cb822458792211f4dd3022529da891ee3f14ec94a5ae159a10ca
SSDEEP

24576:U2G/nvxW3Ww0tGzIvDUJbsjkoe1u0TXn8aNh6nOOnc3nxbmS8ir:UbA30G+DmwjkZuelCn3nch6S8O

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1432	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Comagentintoruntimenet\chainblock.exe	dcrat
C:\Comagentintoruntimenet\chainblock.exe	dcrat
behavioral2/memory/4872-145-0x0000000000600000-0x0000000000748000-memory.dmp	dcrat
C:\Program Files\Uninstall Information\backgroundTaskHost.exe	dcrat
C:\Comagentintoruntimenet\winlogon.exe	dcrat
C:\Comagentintoruntimenet\winlogon.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chainblock.exe80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	chainblock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

chainblock.exewinlogon.exe

pid process

4872 chainblock.exe
3224 winlogon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 6 IoCs

Processes:

chainblock.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\eddb19405b7ce1	chainblock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe	chainblock.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\55b276f4edf653	chainblock.exe
File created	C:\Program Files (x86)\Windows Sidebar\dwm.exe	chainblock.exe
File created	C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3	chainblock.exe
File created	C:\Program Files\Uninstall Information\backgroundTaskHost.exe	chainblock.exe

Drops file in Windows directory 2 IoCs

Processes:

chainblock.exe

description ioc process

File created C:\Windows\bcastdvr\csrss.exe chainblock.exe
File created C:\Windows\bcastdvr\886983d96e3d3e chainblock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\bcastdvr\csrss.exe	chainblock.exe
File created	C:\Windows\bcastdvr\886983d96e3d3e	chainblock.exe

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3792	schtasks.exe
2268	schtasks.exe
2852	schtasks.exe
5068	schtasks.exe
4092	schtasks.exe
3800	schtasks.exe
2124	schtasks.exe
4304	schtasks.exe
2484	schtasks.exe
4348	schtasks.exe
836	schtasks.exe
4596	schtasks.exe
4552	schtasks.exe
4344	schtasks.exe
4632	schtasks.exe
792	schtasks.exe
2068	schtasks.exe
4260	schtasks.exe
2308	schtasks.exe
4704	schtasks.exe
644	schtasks.exe
1104	schtasks.exe
3724	schtasks.exe
1900	schtasks.exe
1384	schtasks.exe
1012	schtasks.exe
3164	schtasks.exe
692	schtasks.exe
1088	schtasks.exe
116	schtasks.exe
3208	schtasks.exe
5052	schtasks.exe
552	schtasks.exe

Modifies registry class 2 IoCs

Processes:

80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exechainblock.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	chainblock.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chainblock.exewinlogon.exe

pid	process
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
4872	chainblock.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe
3224	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

3224 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

chainblock.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 4872 chainblock.exe
Token: SeDebugPrivilege 3224 winlogon.exe

pid	process
3224	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	4872	chainblock.exe
Token: SeDebugPrivilege	3224	winlogon.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exeWScript.execmd.exechainblock.execmd.exe

description	pid	process	target process
PID 3356 wrote to memory of 4492	3356	80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe	WScript.exe
PID 3356 wrote to memory of 4492	3356	80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe	WScript.exe
PID 3356 wrote to memory of 4492	3356	80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe	WScript.exe
PID 4492 wrote to memory of 1452	4492	WScript.exe	cmd.exe
PID 4492 wrote to memory of 1452	4492	WScript.exe	cmd.exe
PID 4492 wrote to memory of 1452	4492	WScript.exe	cmd.exe
PID 1452 wrote to memory of 4872	1452	cmd.exe	chainblock.exe
PID 1452 wrote to memory of 4872	1452	cmd.exe	chainblock.exe
PID 4872 wrote to memory of 4700	4872	chainblock.exe	cmd.exe
PID 4872 wrote to memory of 4700	4872	chainblock.exe	cmd.exe
PID 4700 wrote to memory of 4820	4700	cmd.exe	w32tm.exe
PID 4700 wrote to memory of 4820	4700	cmd.exe	w32tm.exe
PID 4700 wrote to memory of 3224	4700	cmd.exe	winlogon.exe
PID 4700 wrote to memory of 3224	4700	cmd.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe
"C:\Users\Admin\AppData\Local\Temp\80e01a5247779b35eaf556f8c4d3627146e27be61d79a8e840be116a1de546f3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Comagentintoruntimenet\TkCvPJ2UlFeT4Fu5ppqt.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Comagentintoruntimenet\qZx1zTq4J.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Comagentintoruntimenet\chainblock.exe
"C:\Comagentintoruntimenet\chainblock.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYw7YmBmXg.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4820

C:\Comagentintoruntimenet\winlogon.exe
"C:\Comagentintoruntimenet\winlogon.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Comagentintoruntimenet\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Comagentintoruntimenet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Comagentintoruntimenet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Comagentintoruntimenet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Comagentintoruntimenet\TkCvPJ2UlFeT4Fu5ppqt.vbe

Filesize
208B

MD5
b15a0a45547b7a2048e3555669d8f73d

SHA1
509cacfbaa865e29a77a39b73c5bf0693b25efa5

SHA256
586d1c5baa18319d0d953712a7566dd14842c6d3dbbde15d84c75d16a32f7cd5

SHA512
589293bc2806e43375b3798f7980101d2390aeb15f69d943a39aa2f1ecc9811c787d70c58c19994bcebfcc3d517c9976e1fdc55aa01eeb6bdd1686c11c155556

Download Submit
C:\Comagentintoruntimenet\chainblock.exe

Filesize
1.3MB

MD5
7f35833c6d89b35a32bbf1cdb187b867

SHA1
c486ac068d4c4cc00242e5426b003787351b1288

SHA256
2718703785703e1ead2f1ba67fb9c3855d229826a4d0d4d9e62e0ad440588830

SHA512
4a0681c958647dc362cd4e9266f7e0a7782c13c852bfaacb83c0f9da049491d70c658ca88db27df1b8c21da5c58b55b2a1ee728cda9b850e18c98b5c98cda334

Download Submit
C:\Comagentintoruntimenet\chainblock.exe

Filesize
1.3MB

MD5
7f35833c6d89b35a32bbf1cdb187b867

SHA1
c486ac068d4c4cc00242e5426b003787351b1288

SHA256
2718703785703e1ead2f1ba67fb9c3855d229826a4d0d4d9e62e0ad440588830

SHA512
4a0681c958647dc362cd4e9266f7e0a7782c13c852bfaacb83c0f9da049491d70c658ca88db27df1b8c21da5c58b55b2a1ee728cda9b850e18c98b5c98cda334

Download Submit
C:\Comagentintoruntimenet\qZx1zTq4J.bat

Filesize
42B

MD5
6ce95d1a3a1848ab15bbdbb219feca76

SHA1
2c0ce5d98c16aa9dc94e14569b2179348f79e168

SHA256
7cd511ecb99718222b6706dbb4e127346395ae7a422c073b261fb672816eb097

SHA512
ad7c0479972d08e9a4e5d9f2261f0ea96e69e89e2fe0f7642b34145ac28c49212ac733c3d632b0377b8f1b0027360a1514a30276d1b03b566fcc8f5e09e282e2

Download Submit
C:\Comagentintoruntimenet\winlogon.exe

Filesize
1.3MB

MD5
7f35833c6d89b35a32bbf1cdb187b867

SHA1
c486ac068d4c4cc00242e5426b003787351b1288

SHA256
2718703785703e1ead2f1ba67fb9c3855d229826a4d0d4d9e62e0ad440588830

SHA512
4a0681c958647dc362cd4e9266f7e0a7782c13c852bfaacb83c0f9da049491d70c658ca88db27df1b8c21da5c58b55b2a1ee728cda9b850e18c98b5c98cda334

Download Submit
C:\Comagentintoruntimenet\winlogon.exe

Filesize
1.3MB

MD5
7f35833c6d89b35a32bbf1cdb187b867

SHA1
c486ac068d4c4cc00242e5426b003787351b1288

SHA256
2718703785703e1ead2f1ba67fb9c3855d229826a4d0d4d9e62e0ad440588830

SHA512
4a0681c958647dc362cd4e9266f7e0a7782c13c852bfaacb83c0f9da049491d70c658ca88db27df1b8c21da5c58b55b2a1ee728cda9b850e18c98b5c98cda334

Download Submit
C:\Program Files\Uninstall Information\backgroundTaskHost.exe

Filesize
1.3MB

MD5
7f35833c6d89b35a32bbf1cdb187b867

SHA1
c486ac068d4c4cc00242e5426b003787351b1288

SHA256
2718703785703e1ead2f1ba67fb9c3855d229826a4d0d4d9e62e0ad440588830

SHA512
4a0681c958647dc362cd4e9266f7e0a7782c13c852bfaacb83c0f9da049491d70c658ca88db27df1b8c21da5c58b55b2a1ee728cda9b850e18c98b5c98cda334

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYw7YmBmXg.bat

Filesize
203B

MD5
30b4b4851be8e75bb01933259f5d4ec0

SHA1
0d96ce20aecef5db4dd724da63c4a2868b7cc675

SHA256
18281dff8d9df79b16c478bd9a0c6f787b9a9d4372d6a54a6f8c8570b7d10f57

SHA512
639300dda516c64b03c6dac9efda800062e45ea6f4a3e31349f5233caf7bb2e37f92b523772f5d52dc3351c4e47fa471a455dcc76cf649bfee46b0d50933523c

Download Submit
memory/3224-180-0x000000001D940000-0x000000001DB02000-memory.dmp

Filesize
1.8MB

Download
memory/4872-160-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

Filesize
64KB

Download
memory/4872-147-0x000000001BAB0000-0x000000001BB00000-memory.dmp

Filesize
320KB

Download
memory/4872-146-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

Filesize
64KB

Download
memory/4872-145-0x0000000000600000-0x0000000000748000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads