dcrat | 5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

General

Target

bb1ef2ca98ae809bf836c6f1767cc426.exe
Size

827KB
MD5

bb1ef2ca98ae809bf836c6f1767cc426
SHA1

3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6
SHA256

5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74
SHA512

c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc
SSDEEP

12288:tuSciL28Yzhe9iolOGbdUUd+3JQvv0Iggv0v/X8qnNLblqR:tciL28Y+iYOGpUUd+3HIg3nNLG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 43 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exebb1ef2ca98ae809bf836c6f1767cc426.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
588	schtasks.exe
540	schtasks.exe
1824	schtasks.exe
572	schtasks.exe
1828	schtasks.exe
1320	schtasks.exe
760	schtasks.exe
516	schtasks.exe
1688	schtasks.exe
1608	schtasks.exe
1720	schtasks.exe
980	schtasks.exe
1000	schtasks.exe
696	schtasks.exe
1944	schtasks.exe
572	schtasks.exe
892	schtasks.exe
1100	schtasks.exe
1568	schtasks.exe
1184	schtasks.exe
2044	schtasks.exe
564	schtasks.exe
360	schtasks.exe
292	schtasks.exe
612	schtasks.exe
1068	schtasks.exe
1980	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\b6031602afff68	bb1ef2ca98ae809bf836c6f1767cc426.exe
1200	schtasks.exe
2036	schtasks.exe
1960	schtasks.exe
2024	schtasks.exe
1896	schtasks.exe
816	schtasks.exe
916	schtasks.exe
924	schtasks.exe
540	schtasks.exe
1996	schtasks.exe
1776	schtasks.exe
1548	schtasks.exe
908	schtasks.exe
392	schtasks.exe
1824	schtasks.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	432	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	432	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2024-54-0x0000000000280000-0x0000000000356000-memory.dmp	dcrat
behavioral1/memory/1936-65-0x0000000000840000-0x0000000000916000-memory.dmp	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe	dcrat
behavioral1/memory/1936-78-0x000000001A990000-0x000000001AA10000-memory.dmp	dcrat
C:\Users\Default\Favorites\lsass.exe	dcrat
C:\Users\Default\Favorites\lsass.exe	dcrat
behavioral1/memory/1536-98-0x0000000001240000-0x0000000001316000-memory.dmp	dcrat
behavioral1/memory/1536-99-0x000000001A9E0000-0x000000001AA60000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

1536 lsass.exe

pid	process
1536	lsass.exe

Drops file in Program Files directory 8 IoCs

Processes:

bb1ef2ca98ae809bf836c6f1767cc426.exebb1ef2ca98ae809bf836c6f1767cc426.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\winlogon.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files\Google\Chrome\cc11b995f2a76d	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\bb1ef2ca98ae809bf836c6f1767cc426.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\b6031602afff68	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\6cb0b6c459d5d3	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Microsoft.NET\wininit.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Program Files (x86)\Microsoft.NET\56085415360792	bb1ef2ca98ae809bf836c6f1767cc426.exe

Drops file in Windows directory 3 IoCs

Processes:

bb1ef2ca98ae809bf836c6f1767cc426.exe

description	ioc	process
File opened for modification	C:\Windows\debug\WIA\csrss.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Windows\debug\WIA\886983d96e3d3e	bb1ef2ca98ae809bf836c6f1767cc426.exe
File created	C:\Windows\debug\WIA\csrss.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
816	schtasks.exe
1548	schtasks.exe
572	schtasks.exe
980	schtasks.exe
1944	schtasks.exe
564	schtasks.exe
588	schtasks.exe
1776	schtasks.exe
1200	schtasks.exe
360	schtasks.exe
392	schtasks.exe
916	schtasks.exe
2044	schtasks.exe
540	schtasks.exe
1688	schtasks.exe
1000	schtasks.exe
572	schtasks.exe
1896	schtasks.exe
292	schtasks.exe
1568	schtasks.exe
1960	schtasks.exe
1608	schtasks.exe
1720	schtasks.exe
1320	schtasks.exe
760	schtasks.exe
2024	schtasks.exe
540	schtasks.exe
1980	schtasks.exe
1828	schtasks.exe
612	schtasks.exe
516	schtasks.exe
892	schtasks.exe
908	schtasks.exe
2036	schtasks.exe
1100	schtasks.exe
1068	schtasks.exe
1824	schtasks.exe
696	schtasks.exe
1824	schtasks.exe
1184	schtasks.exe
924	schtasks.exe
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

bb1ef2ca98ae809bf836c6f1767cc426.exebb1ef2ca98ae809bf836c6f1767cc426.exelsass.exe

pid	process
2024	bb1ef2ca98ae809bf836c6f1767cc426.exe
1936	bb1ef2ca98ae809bf836c6f1767cc426.exe
1936	bb1ef2ca98ae809bf836c6f1767cc426.exe
1936	bb1ef2ca98ae809bf836c6f1767cc426.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe
1536	lsass.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bb1ef2ca98ae809bf836c6f1767cc426.exebb1ef2ca98ae809bf836c6f1767cc426.exelsass.exe

description	pid	process
Token: SeDebugPrivilege	2024	bb1ef2ca98ae809bf836c6f1767cc426.exe
Token: SeDebugPrivilege	1936	bb1ef2ca98ae809bf836c6f1767cc426.exe
Token: SeDebugPrivilege	1536	lsass.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bb1ef2ca98ae809bf836c6f1767cc426.execmd.exebb1ef2ca98ae809bf836c6f1767cc426.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1356	2024	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 2024 wrote to memory of 1356	2024	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 2024 wrote to memory of 1356	2024	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 1356 wrote to memory of 980	1356	cmd.exe	w32tm.exe
PID 1356 wrote to memory of 980	1356	cmd.exe	w32tm.exe
PID 1356 wrote to memory of 980	1356	cmd.exe	w32tm.exe
PID 1356 wrote to memory of 1936	1356	cmd.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
PID 1356 wrote to memory of 1936	1356	cmd.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
PID 1356 wrote to memory of 1936	1356	cmd.exe	bb1ef2ca98ae809bf836c6f1767cc426.exe
PID 1936 wrote to memory of 2020	1936	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 1936 wrote to memory of 2020	1936	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 1936 wrote to memory of 2020	1936	bb1ef2ca98ae809bf836c6f1767cc426.exe	cmd.exe
PID 2020 wrote to memory of 1356	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 1356	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 1356	2020	cmd.exe	w32tm.exe
PID 2020 wrote to memory of 1536	2020	cmd.exe	lsass.exe
PID 2020 wrote to memory of 1536	2020	cmd.exe	lsass.exe
PID 2020 wrote to memory of 1536	2020	cmd.exe	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe
"C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe
"C:\Users\Admin\AppData\Local\Temp\bb1ef2ca98ae809bf836c6f1767cc426.exe"
3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38AYcXL9f1.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:1356

C:\Users\Default\Favorites\lsass.exe
"C:\Users\Default\Favorites\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426b" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426b" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426b" /sc MINUTE /mo 9 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb1ef2ca98ae809bf836c6f1767cc426b" /sc MINUTE /mo 6 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\bb1ef2ca98ae809bf836c6f1767cc426.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\es-ES\dwm.exe
Filesize
827KB

MD5
bb1ef2ca98ae809bf836c6f1767cc426

SHA1
3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

SHA256
5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

SHA512
c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\38AYcXL9f1.bat
Filesize
201B

MD5
70b5daaabbd13ae7fd5a1dc4e1ad6700

SHA1
0441fa3d297f5131e166e4a93d2e473fe836fded

SHA256
ea8827afb38a01bc4e0854223df9701f370396398bb2343fdd65c6859bb08cdc

SHA512
2434bc2f792663b1ae3f5ebbe3c5383bb4421082ff716d38468302f1c9e21c5d1646949efe575e622d3513f543ddf733e9601e94f0f11f09b584ec6f145546f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat
Filesize
235B

MD5
11fde025d8661c9c8fa65d3e1abd7ab3

SHA1
2fa2ea0d215caa41ceaa624bbb617ef537922f54

SHA256
6686b68c0eb2f7e67e6f89a6b21c72c8d147f21a01f97f066a326c66e2228e7a

SHA512
2437801cbb5bb85c174969ec5041ad0467ae1e152ef71e7e229d2f32ffdf807b1be2451d35c77d0c2dbd1365bfdd9b20583fc3e481b3911b20160bc518244a3a

Download Submit
C:\Users\Default\Favorites\lsass.exe
Filesize
827KB

MD5
bb1ef2ca98ae809bf836c6f1767cc426

SHA1
3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

SHA256
5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

SHA512
c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

Download Submit
C:\Users\Default\Favorites\lsass.exe
Filesize
827KB

MD5
bb1ef2ca98ae809bf836c6f1767cc426

SHA1
3ec5f3acbf39a52ae978cfe6d440090e6e7e85d6

SHA256
5232c6db5c412780ace4c035be6bde85e2ff91f4d5699f849b028939dc39cf74

SHA512
c3d9a6ceaff7bfdca46cd115aad4ed0739cfdef2809149a29e5eca26a0a5cc9bedd0225adc17d6c4fb344a3edf0e553d24fdba63a34e820dcd8144453985e7cc

Download Submit
memory/1536-98-0x0000000001240000-0x0000000001316000-memory.dmp

Filesize
856KB

Download
memory/1536-99-0x000000001A9E0000-0x000000001AA60000-memory.dmp

Filesize
512KB

Download
memory/1536-100-0x000000001A9E0000-0x000000001AA60000-memory.dmp

Filesize
512KB

Download
memory/1936-65-0x0000000000840000-0x0000000000916000-memory.dmp

Filesize
856KB

Download
memory/1936-78-0x000000001A990000-0x000000001AA10000-memory.dmp

Filesize
512KB

Download
memory/2024-54-0x0000000000280000-0x0000000000356000-memory.dmp

Filesize
856KB

Download
memory/2024-57-0x000000001AEA0000-0x000000001AF20000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads