dcrat | c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

General

Target

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Size

1.3MB
MD5

6f6a61090a9add724eebbec1c558826b
SHA1

566ea8db4bcea2d078fb71be08bc8e7003e36119
SHA256

c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483
SHA512

47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8
SSDEEP

24576:4LS70OsASkYS827M+8NFNzmJd+eVjW2LGLrk2WKiT:gS70OfRhxW1c2vi

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4152	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4152	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4908-133-0x0000000000430000-0x0000000000582000-memory.dmp	dcrat
C:\Users\Default\StartMenuExperienceHost.exe	dcrat
C:\Users\Public\Videos\wininit.exe	dcrat
C:\Users\Public\Videos\wininit.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

2016 wininit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2016	wininit.exe

Drops file in Program Files directory 5 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\e6c9b481da804f	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\sihost.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\sihost.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\66fc9ff0ee96c2	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Drops file in Windows directory 4 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
File created	C:\Windows\SchCache\OfficeClickToRun.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\SchCache\e6c9b481da804f	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\ShellComponents\fontdrvhost.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\ShellComponents\5b884080fd4f94	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2076	schtasks.exe
4492	schtasks.exe
4612	schtasks.exe
4100	schtasks.exe
4584	schtasks.exe
1148	schtasks.exe
3980	schtasks.exe
3000	schtasks.exe
3828	schtasks.exe
4924	schtasks.exe
2388	schtasks.exe
564	schtasks.exe
1304	schtasks.exe
3468	schtasks.exe
3212	schtasks.exe
4996	schtasks.exe
396	schtasks.exe
428	schtasks.exe
3976	schtasks.exe
4420	schtasks.exe
4596	schtasks.exe
4836	schtasks.exe
224	schtasks.exe
1620	schtasks.exe
3448	schtasks.exe
3372	schtasks.exe
1728	schtasks.exe
2660	schtasks.exe
4336	schtasks.exe
3540	schtasks.exe
4888	schtasks.exe
2292	schtasks.exe
2316	schtasks.exe

Modifies registry class 1 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exewininit.exe

pid	process
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe
2016	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wininit.exe

pid process

2016 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exewininit.exe

description pid process

Token: SeDebugPrivilege 4908 C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Token: SeDebugPrivilege 2016 wininit.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wininit.exe

pid process

2016 wininit.exe

pid	process
2016	wininit.exe

description	pid	process
Token: SeDebugPrivilege	4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Token: SeDebugPrivilege	2016	wininit.exe

pid	process
2016	wininit.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.execmd.exe

description	pid	process	target process
PID 4908 wrote to memory of 3004	4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe	cmd.exe
PID 4908 wrote to memory of 3004	4908	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe	cmd.exe
PID 3004 wrote to memory of 5052	3004	cmd.exe	w32tm.exe
PID 3004 wrote to memory of 5052	3004	cmd.exe	w32tm.exe
PID 3004 wrote to memory of 2016	3004	cmd.exe	wininit.exe
PID 3004 wrote to memory of 2016	3004	cmd.exe	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
"C:\Users\Admin\AppData\Local\Temp\C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yl4hSWYMBu.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:5052

C:\Users\Public\Videos\wininit.exe
"C:\Users\Public\Videos\wininit.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yl4hSWYMBu.bat
Filesize
199B

MD5
17c8cf6c5618927dc34bade7f8128ef4

SHA1
7230e0f8bd1fc06d54901bde14bf3d8ddefd8cab

SHA256
758e93388bcb56087f0ea75db24fb5bcbc5f79d890a0ea4ec3ca1ace5210aa3c

SHA512
4f188e29014d2b39811642ecdf217b00686029bf34510259123e1c422306d4dd0442c5c7fbcbee73edf235534851024f5d8c4ec446a01e79bdd426c09c44d7cd

Download Submit
C:\Users\Default\StartMenuExperienceHost.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
C:\Users\Public\Videos\wininit.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
C:\Users\Public\Videos\wininit.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
memory/2016-168-0x000000001B730000-0x000000001B740000-memory.dmp

Filesize
64KB

Download
memory/4908-133-0x0000000000430000-0x0000000000582000-memory.dmp

Filesize
1.3MB

Download
memory/4908-134-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/4908-135-0x000000001B300000-0x000000001B350000-memory.dmp

Filesize
320KB

Download
memory/4908-136-0x000000001BEA0000-0x000000001C3C8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads