dcrat | 672122b34c708738c0ebb1fbe3306b7aa24a4584c87172582c95bbe59ccea401

General

Target

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe
Size

1.6MB
MD5

2baa6f19fa7f4ef5941e92335aa2c06d
SHA1

68c4872eba868d9e8b640e0e76cb1a4a00331d8e
SHA256

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b
SHA512

ee875b4c223bba5864aa1d5ca165d798625442a8ef0a35ec16dc4283ad404d7656bfeeb262ef2ebdc8d3fe954416c019a210c59e2caba6507ae89f13d12d2d27
SSDEEP

24576:e2G/nvxW3WXeGxRoXGkxVsAjtxWCu2RdBaYwqf36eYmMyXxRlRYSZF083SFN:ebA3V6aXGkzFaPmUzyXnlqSZE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4164	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercomponentbrowsersessionnet\providerDriver.exe	dcrat
C:\providercomponentbrowsersessionnet\providerDriver.exe	dcrat
behavioral2/memory/824-145-0x0000000000130000-0x000000000028E000-memory.dmp	dcrat
C:\Users\Admin\Searches\taskhostw.exe	dcrat
C:\odt\spoolsv.exe	dcrat
C:\odt\spoolsv.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exeWScript.exeproviderDriver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	providerDriver.exe

Executes dropped EXE 2 IoCs

Processes:

providerDriver.exespoolsv.exe

pid process

824 providerDriver.exe
4864 spoolsv.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ipinfo.io
27 ipinfo.io

flow	ioc
26	ipinfo.io
27	ipinfo.io

Drops file in Program Files directory 7 IoCs

Processes:

providerDriver.exe

description	ioc	process
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	providerDriver.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\dllhost.exe	providerDriver.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	providerDriver.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\backgroundTaskHost.exe	providerDriver.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\eddb19405b7ce1	providerDriver.exe
File created	C:\Program Files\Uninstall Information\wininit.exe	providerDriver.exe
File created	C:\Program Files\Uninstall Information\56085415360792	providerDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4008	schtasks.exe
848	schtasks.exe
3912	schtasks.exe
3876	schtasks.exe
5104	schtasks.exe
3952	schtasks.exe
1240	schtasks.exe
1576	schtasks.exe
3348	schtasks.exe
3216	schtasks.exe
3548	schtasks.exe
2676	schtasks.exe
3512	schtasks.exe
3916	schtasks.exe
2264	schtasks.exe
2608	schtasks.exe
1788	schtasks.exe
4676	schtasks.exe
1372	schtasks.exe
4340	schtasks.exe
4524	schtasks.exe
100	schtasks.exe
4924	schtasks.exe
1000	schtasks.exe
768	schtasks.exe
4344	schtasks.exe
3376	schtasks.exe
1548	schtasks.exe
4212	schtasks.exe
4664	schtasks.exe
244	schtasks.exe
628	schtasks.exe
1988	schtasks.exe

Modifies registry class 1 IoCs

Processes:

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

providerDriver.exespoolsv.exe

pid	process
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
824	providerDriver.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

spoolsv.exe

pid process

4864 spoolsv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

providerDriver.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 824 providerDriver.exe
Token: SeDebugPrivilege 4864 spoolsv.exe

pid	process
4864	spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	824	providerDriver.exe
Token: SeDebugPrivilege	4864	spoolsv.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exeWScript.execmd.exeproviderDriver.exe

description	pid	process	target process
PID 4320 wrote to memory of 3280	4320	2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe	WScript.exe
PID 4320 wrote to memory of 3280	4320	2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe	WScript.exe
PID 4320 wrote to memory of 3280	4320	2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe	WScript.exe
PID 3280 wrote to memory of 3544	3280	WScript.exe	cmd.exe
PID 3280 wrote to memory of 3544	3280	WScript.exe	cmd.exe
PID 3280 wrote to memory of 3544	3280	WScript.exe	cmd.exe
PID 3544 wrote to memory of 824	3544	cmd.exe	providerDriver.exe
PID 3544 wrote to memory of 824	3544	cmd.exe	providerDriver.exe
PID 824 wrote to memory of 4864	824	providerDriver.exe	spoolsv.exe
PID 824 wrote to memory of 4864	824	providerDriver.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe
"C:\Users\Admin\AppData\Local\Temp\2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercomponentbrowsersessionnet\VeZgJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\providercomponentbrowsersessionnet\providerDriver.exe
"C:\providercomponentbrowsersessionnet\providerDriver.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\odt\spoolsv.exe
"C:\odt\spoolsv.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Searches\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercomponentbrowsersessionnet\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercomponentbrowsersessionnet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\providercomponentbrowsersessionnet\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\providercomponentbrowsersessionnet\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Searches\taskhostw.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\odt\spoolsv.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\odt\spoolsv.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe
Filesize
216B

MD5
5def842da05330520251c8387fad9324

SHA1
280555ffb06b6140968c4e283ccf626600bd76d5

SHA256
8c848ba2be36eac17d91fde15420454ba880b08fabc0d5f6a8b5a1a7490d9bcb

SHA512
aca06163bf5d80c5a7f7d1be66da2553dc438303143e3813b334dbe528278893e20722d30668b4be639a9a799acb546c2cd481d086b963357b903f65b6eb83ca

Download Submit
C:\providercomponentbrowsersessionnet\VeZgJ.bat
Filesize
58B

MD5
936487934c40b7b6efbede5d4665bfe5

SHA1
f5119e4128c38bf607c07a100f670be4b033c4ea

SHA256
7734b8c67c13c61d236a9f437875a85ae13450720be7e4ce398a4e197136395d

SHA512
1bda0aaab8f4988924525c264e6e05a2b16aae2834cd3863474dd31f2581ddb16458bb6fea1cc8edfaec97901af2926be7e28f28f46dc96d039d59176761d2d3

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
memory/824-147-0x000000001AEB0000-0x000000001AEC0000-memory.dmp

Filesize
64KB

Download
memory/824-148-0x000000001BB10000-0x000000001C038000-memory.dmp

Filesize
5.2MB

Download
memory/824-146-0x000000001B410000-0x000000001B460000-memory.dmp

Filesize
320KB

Download
memory/824-145-0x0000000000130000-0x000000000028E000-memory.dmp

Filesize
1.4MB

Download
memory/4864-182-0x0000000001830000-0x0000000001840000-memory.dmp

Filesize
64KB

Download
memory/4864-183-0x000000001D6C0000-0x000000001D882000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads