dcrat | 90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

General

Target

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Size

828KB
MD5

ece82b00b9400f1d09a763853964e291
SHA1

b1b36fcd10ff7833f9bb430ea371df5d295498af
SHA256

90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57
SHA512

52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519
SSDEEP

12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	648	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-54-0x00000000011C0000-0x0000000001296000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Sidebar\explorer.exe	dcrat
C:\Program Files (x86)\Windows Media Player\csrss.exe	dcrat
C:\Program Files (x86)\Windows Media Player\csrss.exe	dcrat
behavioral1/memory/1316-86-0x0000000000BE0000-0x0000000000CB6000-memory.dmp	dcrat
behavioral1/memory/1316-87-0x000000001B0F0000-0x000000001B170000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1316 csrss.exe

pid	process
1316	csrss.exe

Drops file in Program Files directory 13 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\taskhost.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6203df4a6bafc7	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows Sidebar\explorer.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\VideoLAN\VLC\sppsvc.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\smss.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\69ddcba757bf72	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\VideoLAN\VLC\0a1fd5f707cd16	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Program Files\Reference Assemblies\b75386f1303e64	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Drops file in Windows directory 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	ioc	process
File created	C:\Windows\Cursors\csrss.exe	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
File created	C:\Windows\Cursors\886983d96e3d3e	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
804	schtasks.exe
272	schtasks.exe
1948	schtasks.exe
2004	schtasks.exe
1032	schtasks.exe
1668	schtasks.exe
1344	schtasks.exe
1332	schtasks.exe
1592	schtasks.exe
428	schtasks.exe
1264	schtasks.exe
324	schtasks.exe
1712	schtasks.exe
1788	schtasks.exe
1968	schtasks.exe
1088	schtasks.exe
1544	schtasks.exe
696	schtasks.exe
1512	schtasks.exe
1536	schtasks.exe
1320	schtasks.exe
1424	schtasks.exe
1528	schtasks.exe
612	schtasks.exe
736	schtasks.exe
968	schtasks.exe
276	schtasks.exe
1752	schtasks.exe
1776	schtasks.exe
1732	schtasks.exe
1700	schtasks.exe
1464	schtasks.exe
1928	schtasks.exe
960	schtasks.exe
1132	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.execsrss.exe

pid process

1992 90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
1316 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.execsrss.exe

description pid process

Token: SeDebugPrivilege 1992 90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege 1316 csrss.exe

pid	process
1992	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
1316	csrss.exe

description	pid	process
Token: SeDebugPrivilege	1992	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
Token: SeDebugPrivilege	1316	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe

description	pid	process	target process
PID 1992 wrote to memory of 1316	1992	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	csrss.exe
PID 1992 wrote to memory of 1316	1992	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	csrss.exe
PID 1992 wrote to memory of 1316	1992	90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe
"C:\Users\Admin\AppData\Local\Temp\90DAA21921C8CA1EABCBB3E6C957D912C80809050537E.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files (x86)\Windows Media Player\csrss.exe
"C:\Program Files (x86)\Windows Media Player\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\csrss.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Program Files (x86)\Windows Media Player\csrss.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\Program Files (x86)\Windows Sidebar\explorer.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
memory/1316-86-0x0000000000BE0000-0x0000000000CB6000-memory.dmp

Filesize
856KB

Download
memory/1316-87-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/1992-54-0x00000000011C0000-0x0000000001296000-memory.dmp

Filesize
856KB

Download
memory/1992-63-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads