dcrat | 0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492

General

Target

Fortnite.exe
Size

1.1MB
MD5

f795b0bb519a53aa55f3a1f8b421708d
SHA1

18b0c53280f120d18e224ef389e21a09902da4f4
SHA256

0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
SHA512

d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
SSDEEP

24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4264	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4264	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\syscom32.exe	dcrat
C:\Windows\syscom32.exe	dcrat
behavioral2/memory/4928-145-0x0000000000DF0000-0x0000000000EC6000-memory.dmp	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe	dcrat
C:\Users\Default\OfficeClickToRun.exe	dcrat
C:\Users\Default User\OfficeClickToRun.exe	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syscom32.exeOfficeClickToRun.exeFortnite.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	syscom32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Fortnite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

syscom32.exeOfficeClickToRun.exe

pid process

4928 syscom32.exe
2108 OfficeClickToRun.exe

Drops file in Program Files directory 10 IoCs

Processes:

syscom32.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe	syscom32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	syscom32.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe	syscom32.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	syscom32.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	syscom32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\66fc9ff0ee96c2	syscom32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	syscom32.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\e6c9b481da804f	syscom32.exe
File created	C:\Program Files\Google\Chrome\unsecapp.exe	syscom32.exe
File created	C:\Program Files\Google\Chrome\29c1c3cc0f7685	syscom32.exe

Drops file in Windows directory 11 IoCs

Processes:

Fortnite.exesyscom32.exe

description	ioc	process
File created	C:\Windows\__tmp_rar_sfx_access_check_240580625	Fortnite.exe
File created	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File opened for modification	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File created	C:\Windows\Media\Savanna\27d1bcfc3c54e0	syscom32.exe
File created	C:\Windows\INF\rdyboost\0411\9e8d7a4ca61bd9	syscom32.exe
File created	C:\Windows\kkLuA.bat	Fortnite.exe
File opened for modification	C:\Windows\kkLuA.bat	Fortnite.exe
File created	C:\Windows\syscom32.exe	Fortnite.exe
File opened for modification	C:\Windows\syscom32.exe	Fortnite.exe
File created	C:\Windows\Media\Savanna\System.exe	syscom32.exe
File created	C:\Windows\INF\rdyboost\0411\RuntimeBroker.exe	syscom32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3228	schtasks.exe
3212	schtasks.exe
3140	schtasks.exe
3856	schtasks.exe
4160	schtasks.exe
2868	schtasks.exe
4512	schtasks.exe
820	schtasks.exe
2100	schtasks.exe
688	schtasks.exe
4576	schtasks.exe
768	schtasks.exe
1852	schtasks.exe
580	schtasks.exe
4528	schtasks.exe
3828	schtasks.exe
1452	schtasks.exe
4672	schtasks.exe
4648	schtasks.exe
3504	schtasks.exe
2208	schtasks.exe
4596	schtasks.exe
4616	schtasks.exe
4764	schtasks.exe
228	schtasks.exe
5060	schtasks.exe
4720	schtasks.exe
3916	schtasks.exe
3336	schtasks.exe
4620	schtasks.exe
4556	schtasks.exe
2464	schtasks.exe
4052	schtasks.exe
4504	schtasks.exe
4320	schtasks.exe
3456	schtasks.exe
1728	schtasks.exe
3444	schtasks.exe
4664	schtasks.exe
1084	schtasks.exe
3408	schtasks.exe
352	schtasks.exe
4760	schtasks.exe
4420	schtasks.exe
3588	schtasks.exe
3760	schtasks.exe
776	schtasks.exe
3132	schtasks.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4256 taskkill.exe
Modifies registry class 1 IoCs

Processes:

Fortnite.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings Fortnite.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2928 reg.exe
1080 reg.exe

pid	process
4256	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	Fortnite.exe

pid	process
2928	reg.exe
1080	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

syscom32.exeOfficeClickToRun.exe

pid	process
4928	syscom32.exe
4928	syscom32.exe
4928	syscom32.exe
4928	syscom32.exe
4928	syscom32.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe
2108	OfficeClickToRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

2108 OfficeClickToRun.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

syscom32.exeOfficeClickToRun.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4928 syscom32.exe
Token: SeDebugPrivilege 2108 OfficeClickToRun.exe
Token: SeDebugPrivilege 4256 taskkill.exe

pid	process
2108	OfficeClickToRun.exe

description	pid	process
Token: SeDebugPrivilege	4928	syscom32.exe
Token: SeDebugPrivilege	2108	OfficeClickToRun.exe
Token: SeDebugPrivilege	4256	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Fortnite.exeWScript.execmd.exesyscom32.exeOfficeClickToRun.execmd.exe

description	pid	process	target process
PID 4824 wrote to memory of 2032	4824	Fortnite.exe	WScript.exe
PID 4824 wrote to memory of 2032	4824	Fortnite.exe	WScript.exe
PID 4824 wrote to memory of 2032	4824	Fortnite.exe	WScript.exe
PID 2032 wrote to memory of 1992	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1992	2032	WScript.exe	cmd.exe
PID 1992 wrote to memory of 4928	1992	cmd.exe	syscom32.exe
PID 1992 wrote to memory of 4928	1992	cmd.exe	syscom32.exe
PID 4928 wrote to memory of 2108	4928	syscom32.exe	OfficeClickToRun.exe
PID 4928 wrote to memory of 2108	4928	syscom32.exe	OfficeClickToRun.exe
PID 1992 wrote to memory of 1080	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1080	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1080	1992	cmd.exe	reg.exe
PID 2108 wrote to memory of 2340	2108	OfficeClickToRun.exe	cmd.exe
PID 2108 wrote to memory of 2340	2108	OfficeClickToRun.exe	cmd.exe
PID 2340 wrote to memory of 2928	2340	cmd.exe	reg.exe
PID 2340 wrote to memory of 2928	2340	cmd.exe	reg.exe
PID 2340 wrote to memory of 4256	2340	cmd.exe	taskkill.exe
PID 2340 wrote to memory of 4256	2340	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\kkLuA.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\syscom32.exe
"C:\Windows\syscom32.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f & taskkill /f /im taskmgr.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\reg.exe
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
7⤵
- Modifies registry key
PID:2928

C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\.oracle_jre_usage\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\.oracle_jre_usage\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\.oracle_jre_usage\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Savanna\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Savanna\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\rdyboost\0411\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\INF\rdyboost\0411\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\rdyboost\0411\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4208

C:\Windows\sysmon.exe
"C:\Windows\sysmon.exe"
1⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\en-US\sihost.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Users\Default User\OfficeClickToRun.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Users\Default\OfficeClickToRun.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\kkLuA.bat
Filesize
137B

MD5
eddbf02b8f63229a6f4670d77d49f965

SHA1
84dc5aa13c3a7144742df74e28da6a7ad9177a69

SHA256
12646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae

SHA512
be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe
Filesize
189B

MD5
c7c7ffa475aef8dff75df4c55df974af

SHA1
ef0427f4f4091c69d488443079477b1d4416e9b2

SHA256
19a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16

SHA512
72fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66

Download Submit
memory/2108-191-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/4928-145-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

Filesize
856KB

Download
memory/4928-148-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads