dcrat | b3a3bdf098e5f594e648d057b76c611459fee806603aeb6b4e8acd94c345f885

General

Target

a04547b4b2135cb2a6679397b6ceebbd.exe
Size

2.1MB
MD5

a04547b4b2135cb2a6679397b6ceebbd
SHA1

575a41564360e3f33937b95ff20951f67815340b
SHA256

b3a3bdf098e5f594e648d057b76c611459fee806603aeb6b4e8acd94c345f885
SHA512

47355bd76cc62ff6d9bb5a83a065b154e62134f572b3a2039a2b12c7010a2d71324e70c530586c89803e1cc6eeb780c253fbb1287cdc63a69ce8623c29f5a87d
SSDEEP

49152:WP6CjZbUzbbniWNQ0uoKoBDfMXx+542856s8lRMZsMH:WP6eUjRipr2DfMh+K6plZM

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4772	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4908-133-0x0000000000720000-0x000000000094E000-memory.dmp	dcrat
C:\Users\Public\services.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	a04547b4b2135cb2a6679397b6ceebbd.exe

Executes dropped EXE 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

332 StartMenuExperienceHost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
332	StartMenuExperienceHost.exe

Drops file in System32 directory 2 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exe

description	ioc	process
File created	C:\Windows\System32\WinBioPlugIns\dwm.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Windows\System32\WinBioPlugIns\6cb0b6c459d5d3	a04547b4b2135cb2a6679397b6ceebbd.exe

Drops file in Program Files directory 8 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\24dbde2999530e	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\56085415360792	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\Windows Mail\OfficeClickToRun.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\Windows Mail\e6c9b481da804f	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\Internet Explorer\es-ES\RuntimeBroker.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Program Files\Internet Explorer\es-ES\9e8d7a4ca61bd9	a04547b4b2135cb2a6679397b6ceebbd.exe

Drops file in Windows directory 2 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exe

description	ioc	process
File created	C:\Windows\PLA\Rules\es-ES\dllhost.exe	a04547b4b2135cb2a6679397b6ceebbd.exe
File created	C:\Windows\PLA\Rules\es-ES\5940a34987c991	a04547b4b2135cb2a6679397b6ceebbd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3420	schtasks.exe
4436	schtasks.exe
2956	schtasks.exe
1092	schtasks.exe
4852	schtasks.exe
2836	schtasks.exe
2252	schtasks.exe
4864	schtasks.exe
3736	schtasks.exe
2584	schtasks.exe
3520	schtasks.exe
4600	schtasks.exe
4996	schtasks.exe
4052	schtasks.exe
1432	schtasks.exe
212	schtasks.exe
2816	schtasks.exe
5084	schtasks.exe
3212	schtasks.exe
3740	schtasks.exe
1208	schtasks.exe
4480	schtasks.exe
4740	schtasks.exe
1928	schtasks.exe
1972	schtasks.exe
2208	schtasks.exe
4572	schtasks.exe
4136	schtasks.exe
5052	schtasks.exe
1988	schtasks.exe
2576	schtasks.exe
3644	schtasks.exe
4212	schtasks.exe
1808	schtasks.exe
4132	schtasks.exe
2116	schtasks.exe

Modifies registry class 1 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	a04547b4b2135cb2a6679397b6ceebbd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exeStartMenuExperienceHost.exe

pid	process
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
4908	a04547b4b2135cb2a6679397b6ceebbd.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

332 StartMenuExperienceHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.exeStartMenuExperienceHost.exe

description pid process

Token: SeDebugPrivilege 4908 a04547b4b2135cb2a6679397b6ceebbd.exe
Token: SeDebugPrivilege 332 StartMenuExperienceHost.exe

pid	process
332	StartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	4908	a04547b4b2135cb2a6679397b6ceebbd.exe
Token: SeDebugPrivilege	332	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a04547b4b2135cb2a6679397b6ceebbd.execmd.exe

description	pid	process	target process
PID 4908 wrote to memory of 3156	4908	a04547b4b2135cb2a6679397b6ceebbd.exe	cmd.exe
PID 4908 wrote to memory of 3156	4908	a04547b4b2135cb2a6679397b6ceebbd.exe	cmd.exe
PID 3156 wrote to memory of 2072	3156	cmd.exe	w32tm.exe
PID 3156 wrote to memory of 2072	3156	cmd.exe	w32tm.exe
PID 3156 wrote to memory of 332	3156	cmd.exe	StartMenuExperienceHost.exe
PID 3156 wrote to memory of 332	3156	cmd.exe	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a04547b4b2135cb2a6679397b6ceebbd.exe
"C:\Users\Admin\AppData\Local\Temp\a04547b4b2135cb2a6679397b6ceebbd.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PB8bV35EeC.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2072

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Rules\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\WinBioPlugIns\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WinBioPlugIns\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\WinBioPlugIns\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
2.1MB

MD5
a04547b4b2135cb2a6679397b6ceebbd

SHA1
575a41564360e3f33937b95ff20951f67815340b

SHA256
b3a3bdf098e5f594e648d057b76c611459fee806603aeb6b4e8acd94c345f885

SHA512
47355bd76cc62ff6d9bb5a83a065b154e62134f572b3a2039a2b12c7010a2d71324e70c530586c89803e1cc6eeb780c253fbb1287cdc63a69ce8623c29f5a87d

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
Filesize
2.1MB

MD5
a04547b4b2135cb2a6679397b6ceebbd

SHA1
575a41564360e3f33937b95ff20951f67815340b

SHA256
b3a3bdf098e5f594e648d057b76c611459fee806603aeb6b4e8acd94c345f885

SHA512
47355bd76cc62ff6d9bb5a83a065b154e62134f572b3a2039a2b12c7010a2d71324e70c530586c89803e1cc6eeb780c253fbb1287cdc63a69ce8623c29f5a87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PB8bV35EeC.bat
Filesize
214B

MD5
dcb2622f325b48ad4ae2bee367fd4f63

SHA1
0a5807d6d156ba07cb8f9978a0315f4299878ae8

SHA256
a69b7e447d5fc3335e69c8989844e41a43bab44ea6697d98a2aeab87b03d584a

SHA512
13adfaf6013958583eb87f51c899bc73949b2ab68678be77a45b1c669b44ba1c446451dc7a67904cadf3fca38980457a5d02d3e42ec45fdc3e0ec51103fc92db

Download Submit
C:\Users\Public\services.exe
Filesize
2.1MB

MD5
a04547b4b2135cb2a6679397b6ceebbd

SHA1
575a41564360e3f33937b95ff20951f67815340b

SHA256
b3a3bdf098e5f594e648d057b76c611459fee806603aeb6b4e8acd94c345f885

SHA512
47355bd76cc62ff6d9bb5a83a065b154e62134f572b3a2039a2b12c7010a2d71324e70c530586c89803e1cc6eeb780c253fbb1287cdc63a69ce8623c29f5a87d

Download Submit
memory/332-170-0x000000001D390000-0x000000001D3A0000-memory.dmp

Filesize
64KB

Download
memory/4908-133-0x0000000000720000-0x000000000094E000-memory.dmp

Filesize
2.2MB

Download
memory/4908-134-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/4908-135-0x000000001B560000-0x000000001B5B0000-memory.dmp

Filesize
320KB

Download
memory/4908-136-0x000000001CDA0000-0x000000001D2C8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads