dcrat | 7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333413d3a10dbf3bf121d1ab4b866346.exe
Size

2.3MB
MD5

333413d3a10dbf3bf121d1ab4b866346
SHA1

e4ab9d6bbc56e1c48c2a444cf885833af963fd09
SHA256

7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842
SHA512

59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20
SSDEEP

49152:INaBz16Zarg7zdXaCVCPr5szFTBwWGZfr9KWz/:Ia8YQsfPrUlyWGF4Wz/

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 61 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1364	schtasks.exe
		3996	schtasks.exe
		1752	schtasks.exe
		4828	schtasks.exe
		3380	schtasks.exe
		220	schtasks.exe
		2832	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd		333413d3a10dbf3bf121d1ab4b866346.exe
		1424	schtasks.exe
		4496	schtasks.exe
		4256	schtasks.exe
		4556	schtasks.exe
		836	schtasks.exe
		2972	schtasks.exe
		2384	schtasks.exe
		3036	schtasks.exe
		3056	schtasks.exe
		1608	schtasks.exe
		1872	schtasks.exe
		2492	schtasks.exe
		3232	schtasks.exe
		4700	schtasks.exe
		4960	schtasks.exe
		416	schtasks.exe
		4712	schtasks.exe
		3852	schtasks.exe
		4848	schtasks.exe
		2860	schtasks.exe
		3544	schtasks.exe
		4344	schtasks.exe
		684	schtasks.exe
		4604	schtasks.exe
		524	schtasks.exe
		4512	schtasks.exe
		5072	schtasks.exe
		4608	schtasks.exe
		5064	schtasks.exe
		4636	schtasks.exe
		3380	schtasks.exe
		1992	schtasks.exe
		4684	schtasks.exe
		1116	schtasks.exe
		4304	schtasks.exe
		3216	schtasks.exe
		4308	schtasks.exe
		868	schtasks.exe
		1420	schtasks.exe
		2092	schtasks.exe
		3236	schtasks.exe
		4156	schtasks.exe
		2120	schtasks.exe
		2372	schtasks.exe
		3708	schtasks.exe
		2572	schtasks.exe
		1968	schtasks.exe
		2516	schtasks.exe
		3264	schtasks.exe
		4844	schtasks.exe
		2360	schtasks.exe
		2164	schtasks.exe
		4876	schtasks.exe

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2908	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2908	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2728-133-0x0000000000280000-0x00000000004D2000-memory.dmp	dcrat
behavioral2/files/0x0006000000023276-151.dat	dcrat
behavioral2/files/0x000600000002328d-190.dat	dcrat
behavioral2/files/0x000600000002328d-191.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	333413d3a10dbf3bf121d1ab4b866346.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	333413d3a10dbf3bf121d1ab4b866346.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\smss.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Windows Security\e6c9b481da804f	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\121e5b5079f7c0	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Java\c5b4cb5e9653cc	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Windows Security\OfficeClickToRun.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Java\services.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\Registry.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\ee2ad38f3d4382	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe	333413d3a10dbf3bf121d1ab4b866346.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\cc11b995f2a76d	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Windows\Cursors\backgroundTaskHost.exe	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Windows\Cursors\eddb19405b7ce1	333413d3a10dbf3bf121d1ab4b866346.exe
File created	C:\Windows\fr-FR\winlogon.exe	333413d3a10dbf3bf121d1ab4b866346.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5064	schtasks.exe
1992	schtasks.exe
3216	schtasks.exe
3708	schtasks.exe
1872	schtasks.exe
3996	schtasks.exe
2860	schtasks.exe
836	schtasks.exe
1608	schtasks.exe
1420	schtasks.exe
524	schtasks.exe
3036	schtasks.exe
4712	schtasks.exe
4496	schtasks.exe
4876	schtasks.exe
5072	schtasks.exe
3264	schtasks.exe
4608	schtasks.exe
2832	schtasks.exe
4684	schtasks.exe
416	schtasks.exe
3232	schtasks.exe
1364	schtasks.exe
3852	schtasks.exe
4308	schtasks.exe
2384	schtasks.exe
4848	schtasks.exe
2372	schtasks.exe
4556	schtasks.exe
220	schtasks.exe
4700	schtasks.exe
2360	schtasks.exe
4344	schtasks.exe
4512	schtasks.exe
4828	schtasks.exe
3544	schtasks.exe
1116	schtasks.exe
3056	schtasks.exe
684	schtasks.exe
2492	schtasks.exe
2516	schtasks.exe
868	schtasks.exe
2120	schtasks.exe
1968	schtasks.exe
2164	schtasks.exe
3380	schtasks.exe
2092	schtasks.exe
3236	schtasks.exe
4960	schtasks.exe
1752	schtasks.exe
4844	schtasks.exe
3380	schtasks.exe
2972	schtasks.exe
4304	schtasks.exe
4256	schtasks.exe
4156	schtasks.exe
4604	schtasks.exe
1424	schtasks.exe
2572	schtasks.exe
4636	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	333413d3a10dbf3bf121d1ab4b866346.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2728	333413d3a10dbf3bf121d1ab4b866346.exe
2728	333413d3a10dbf3bf121d1ab4b866346.exe
2728	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
4616	333413d3a10dbf3bf121d1ab4b866346.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe
1956	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	333413d3a10dbf3bf121d1ab4b866346.exe
Token: SeDebugPrivilege	4616	333413d3a10dbf3bf121d1ab4b866346.exe
Token: SeDebugPrivilege	1956	winlogon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4616	2728	333413d3a10dbf3bf121d1ab4b866346.exe	92
PID 2728 wrote to memory of 4616	2728	333413d3a10dbf3bf121d1ab4b866346.exe	92
PID 4616 wrote to memory of 748	4616	333413d3a10dbf3bf121d1ab4b866346.exe	153
PID 4616 wrote to memory of 748	4616	333413d3a10dbf3bf121d1ab4b866346.exe	153
PID 748 wrote to memory of 4916	748	cmd.exe	155
PID 748 wrote to memory of 4916	748	cmd.exe	155
PID 748 wrote to memory of 1956	748	cmd.exe	158
PID 748 wrote to memory of 1956	748	cmd.exe	158

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe
"C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe
  "C:\Users\Admin\AppData\Local\Temp\333413d3a10dbf3bf121d1ab4b866346.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3D0oSQVkyc.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4916
  - - C:\Windows\fr-FR\winlogon.exe
      "C:\Windows\fr-FR\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\333413d3a10dbf3bf121d1ab4b866346.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D0oSQVkyc.bat

Filesize
194B

MD5
716e0e12a56bc8634013e438b5b8fd62

SHA1
7e50b6df5eab87756659979d5c6253e0e7bfae4b

SHA256
d5f44d470b7b405013c2d8b61b3dc2293b0d97e9151ff2c3269d1540b6618ad7

SHA512
e3b2ede0ca888c1f154b5263c9867d38190f6b7ff10382dcc0b9a4f686d4d5696dfedaac576a91e1f148b3657f58ef8ec563ccb2b221617fe036a3b67c57bbf0

Download Submit
C:\Windows\fr-FR\winlogon.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
C:\Windows\fr-FR\winlogon.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
C:\odt\WmiPrvSE.exe

Filesize
2.3MB

MD5
333413d3a10dbf3bf121d1ab4b866346

SHA1
e4ab9d6bbc56e1c48c2a444cf885833af963fd09

SHA256
7ca900970ade7ffa3ce2cfb9e45f90575e361053749dc0cc3406bd2bebaff842

SHA512
59f4248caeab1f870b0614930ba3894e30716c938df35894f25372257d608135b3c93d233edcb3fd6b8f3e391925612880d5c4e5b65336d3be5aa0d026381c20

Download Submit
memory/1956-233-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/1956-232-0x00007FFCFB780000-0x00007FFCFC241000-memory.dmp

Filesize
10.8MB

Download
memory/1956-193-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/1956-192-0x00007FFCFB780000-0x00007FFCFC241000-memory.dmp

Filesize
10.8MB

Download
memory/2728-137-0x000000001BE30000-0x000000001C358000-memory.dmp

Filesize
5.2MB

Download
memory/2728-144-0x00007FFCFBAD0000-0x00007FFCFC591000-memory.dmp

Filesize
10.8MB

Download
memory/2728-133-0x0000000000280000-0x00000000004D2000-memory.dmp

Filesize
2.3MB

Download
memory/2728-136-0x000000001B060000-0x000000001B0B0000-memory.dmp

Filesize
320KB

Download
memory/2728-135-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/2728-134-0x00007FFCFBAD0000-0x00007FFCFC591000-memory.dmp

Filesize
10.8MB

Download
memory/4616-187-0x00007FFCFBAD0000-0x00007FFCFC591000-memory.dmp

Filesize
10.8MB

Download
memory/4616-146-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/4616-145-0x00007FFCFBAD0000-0x00007FFCFC591000-memory.dmp

Filesize
10.8MB

Download