dcrat | db9e61ab56d0cf5aecdbd7d8c70e32cca3bcbc4dded1576e99e5f45a6016ab02

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.7MB
MD5

e518d35ec5fc430fa09ecf844aadcc6c
SHA1

a27e6eedfc527d7db7dcd3298bd078897eed1936
SHA256

db9e61ab56d0cf5aecdbd7d8c70e32cca3bcbc4dded1576e99e5f45a6016ab02
SHA512

6e35934b39221267ac6b03bb1630860bee01cdd8834081a0c45f201ec7ccab0db1d3edfb107cc74de481e7bfa04b39bdfe39716b0fc0d2fa9aad299281f57dca
SSDEEP

49152:nRA3JTjxBWia+uZxlIJJ7KniN/QCRsdR7uPlaIc0gIc0vTvUPRTLGFUOwN:nRWTjWi5uHA4niBQzf7nIhgxcknGFfwN

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2372	schtasks.exe
		588	schtasks.exe
		2716	schtasks.exe
		1660	schtasks.exe
		2384	schtasks.exe
		2036	schtasks.exe
		616	schtasks.exe
		920	schtasks.exe
		1568	schtasks.exe
		2764	schtasks.exe
		1560	schtasks.exe
		544	schtasks.exe
		1584	schtasks.exe
		1156	schtasks.exe
		1768	schtasks.exe
		2796	schtasks.exe
		2204	schtasks.exe
		1096	schtasks.exe
		2536	schtasks.exe
		1244	schtasks.exe
		2768	schtasks.exe
		2088	schtasks.exe
		1824	schtasks.exe
		2816	schtasks.exe
		2420	schtasks.exe
		2656	schtasks.exe
File created	C:\Windows\Resources\Themes\Aero\es-ES\27d1bcfc3c54e0		RefHost.exe
		332	schtasks.exe
		1800	schtasks.exe
		2896	schtasks.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72		RefHost.exe
		2032	schtasks.exe
		1060	schtasks.exe
		2540	schtasks.exe
		644	schtasks.exe
		1600	schtasks.exe
		1312	schtasks.exe
		1724	schtasks.exe
		972	schtasks.exe
		2444	schtasks.exe
		1656	schtasks.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2748	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a00000001483c-65.dat	dcrat
behavioral1/files/0x000a00000001483c-68.dat	dcrat
behavioral1/files/0x000a00000001483c-67.dat	dcrat
behavioral1/files/0x000a00000001483c-66.dat	dcrat
behavioral1/memory/3000-70-0x0000000000930000-0x0000000000C0C000-memory.dmp	dcrat
behavioral1/files/0x0006000000015655-96.dat	dcrat
behavioral1/files/0x000a00000001483c-110.dat	dcrat
behavioral1/memory/948-111-0x00000000010C0000-0x000000000139C000-memory.dmp	dcrat
behavioral1/files/0x0006000000016ba6-135.dat	dcrat
behavioral1/files/0x0006000000016ba6-136.dat	dcrat
behavioral1/memory/1944-137-0x0000000000D40000-0x000000000101C000-memory.dmp	dcrat
behavioral1/memory/1944-151-0x000000001B150000-0x000000001B1D0000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
3000	RefHost.exe
948	RefHost.exe
1944	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	cmd.exe
2108	cmd.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\WMIADAP.exe	RefHost.exe
File created	C:\Program Files\Common Files\System\75a57c1bdf437c	RefHost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	RefHost.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	RefHost.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	RefHost.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	RefHost.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	RefHost.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	RefHost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\es-ES\System.exe	RefHost.exe
File created	C:\Windows\Resources\Themes\Aero\es-ES\27d1bcfc3c54e0	RefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2036	schtasks.exe
1800	schtasks.exe
2088	schtasks.exe
2816	schtasks.exe
1724	schtasks.exe
588	schtasks.exe
2716	schtasks.exe
2764	schtasks.exe
2656	schtasks.exe
1244	schtasks.exe
2536	schtasks.exe
332	schtasks.exe
2444	schtasks.exe
644	schtasks.exe
2796	schtasks.exe
1568	schtasks.exe
1560	schtasks.exe
2420	schtasks.exe
2768	schtasks.exe
2204	schtasks.exe
1768	schtasks.exe
1584	schtasks.exe
2384	schtasks.exe
1312	schtasks.exe
616	schtasks.exe
2896	schtasks.exe
1096	schtasks.exe
1600	schtasks.exe
1156	schtasks.exe
1656	schtasks.exe
1660	schtasks.exe
920	schtasks.exe
972	schtasks.exe
2540	schtasks.exe
544	schtasks.exe
1060	schtasks.exe
2032	schtasks.exe
1824	schtasks.exe
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
3000	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
948	RefHost.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe
1944	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	Idle.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	RefHost.exe
Token: SeDebugPrivilege	948	RefHost.exe
Token: SeDebugPrivilege	1944	Idle.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2148	3068	tmp.exe	28
PID 3068 wrote to memory of 2148	3068	tmp.exe	28
PID 3068 wrote to memory of 2148	3068	tmp.exe	28
PID 3068 wrote to memory of 2148	3068	tmp.exe	28
PID 2148 wrote to memory of 2108	2148	WScript.exe	31
PID 2148 wrote to memory of 2108	2148	WScript.exe	31
PID 2148 wrote to memory of 2108	2148	WScript.exe	31
PID 2148 wrote to memory of 2108	2148	WScript.exe	31
PID 2108 wrote to memory of 3000	2108	cmd.exe	33
PID 2108 wrote to memory of 3000	2108	cmd.exe	33
PID 2108 wrote to memory of 3000	2108	cmd.exe	33
PID 2108 wrote to memory of 3000	2108	cmd.exe	33
PID 3000 wrote to memory of 268	3000	RefHost.exe	53
PID 3000 wrote to memory of 268	3000	RefHost.exe	53
PID 3000 wrote to memory of 268	3000	RefHost.exe	53
PID 268 wrote to memory of 344	268	cmd.exe	55
PID 268 wrote to memory of 344	268	cmd.exe	55
PID 268 wrote to memory of 344	268	cmd.exe	55
PID 268 wrote to memory of 948	268	cmd.exe	56
PID 268 wrote to memory of 948	268	cmd.exe	56
PID 268 wrote to memory of 948	268	cmd.exe	56
PID 948 wrote to memory of 1528	948	RefHost.exe	78
PID 948 wrote to memory of 1528	948	RefHost.exe	78
PID 948 wrote to memory of 1528	948	RefHost.exe	78
PID 1528 wrote to memory of 2020	1528	cmd.exe	80
PID 1528 wrote to memory of 2020	1528	cmd.exe	80
PID 1528 wrote to memory of 2020	1528	cmd.exe	80
PID 1528 wrote to memory of 1944	1528	cmd.exe	81
PID 1528 wrote to memory of 1944	1528	cmd.exe	81
PID 1528 wrote to memory of 1944	1528	cmd.exe	81
PID 1944 wrote to memory of 2888	1944	Idle.exe	82
PID 1944 wrote to memory of 2888	1944	Idle.exe	82
PID 1944 wrote to memory of 2888	1944	Idle.exe	82
PID 1944 wrote to memory of 2600	1944	Idle.exe	83
PID 1944 wrote to memory of 2600	1944	Idle.exe	83
PID 1944 wrote to memory of 2600	1944	Idle.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerReview\9bppiLDkynZOF8PbVHmbLk.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\containerReview\OXQ86avfgsO.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\containerReview\RefHost.exe
      "C:\containerReview\RefHost.exe"
      4⤵
      DcRat
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7BGbiaqdIl.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:344
      - C:\containerReview\RefHost.exe
        
        "C:\containerReview\RefHost.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wxi69GYnss.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acaed77-ae93-42d1-8879-71a4b88b13fa.vbs"
        9⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b798340f-a98f-436c-941e-6a6f43390d3f.vbs"
        9⤵
        
        PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\containerReview\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\containerReview\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\containerReview\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\es-ES\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\a63616e2-20ee-11ee-b36a-95109afc38eb\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefHostR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\RefHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefHost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\RefHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefHostR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\RefHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acaed77-ae93-42d1-8879-71a4b88b13fa.vbs

Filesize
744B

MD5
ec2be8723efa167883875848b813f9f0

SHA1
681ce2c64ebd8ba2cdae57f64891a0f058c21278

SHA256
a1d281b1d21985105cef5841dac044f66426d7b633f17429f51984da0ff93b4b

SHA512
ce0c91e57a209b669c57022cf8759fd046ac190ff1e4a930ddc863fa14b35cf87d4daeb7355505c206a6b94cb67e50578874971560d612e4713054c05ee5ca4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BGbiaqdIl.bat

Filesize
195B

MD5
c61d08c6fd878383879d7acc5e5d58c5

SHA1
d16952cee85ab211f5e921af0068631d053f460b

SHA256
06df751baeb2cb567bc532d535f55578d808a4ff7e6013b2a7af94aa30f670cf

SHA512
48ac014c33fabe06f4c630c1febeba8939ae28c5d624e70fc6eebb23348e2d7156dca8d9580eeaa33a3da93e7a2502ced661c4e6948cd4ecef6081ab513ed10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wxi69GYnss.bat

Filesize
233B

MD5
d6452d20128525c62dd1396685700f2c

SHA1
a6b2822bc49c9f2f0d53af3f3edf9737325bf206

SHA256
778cf22b5b6a2c00a1eb30507e7efba84202129c712c671264b996a9a13a8d76

SHA512
f19d52aea4f53496ebda401ca08aef5f013625d2f232a746155333412bfb806682fc337372df910a9415c071ae9f26928307be62a95221fcb33b0d450381ce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\b798340f-a98f-436c-941e-6a6f43390d3f.vbs

Filesize
520B

MD5
695840e7c7faa62aa1140dc8dbddc414

SHA1
8daf76cee8d004bf59e56428bd9764f56eb298d1

SHA256
76d40573bb29832120edd60aeb2db1b278e1fc52b2431ee489688aad97b02b4e

SHA512
04ae4bc0a8d2a57c231c936eb24b83ca7b4ea953f63db94258877598334d20eb3f160569b9af3650823e75660e75c3c6173bafb86526127462f3e7fec74acff2

Download Submit
C:\Windows\Resources\Themes\Aero\es-ES\System.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
C:\containerReview\9bppiLDkynZOF8PbVHmbLk.vbe

Filesize
203B

MD5
10a33466002a6b1a0371e1e213ef1e76

SHA1
3357bc77776660315053faa706a403e14e2c4b33

SHA256
05427cc76b13d159fd7b41d8806368259b2195dad9df39b7f5f91361143273b3

SHA512
690319bbd200e1776ef93e3b0c322136be83b3960b57de10c65573433e451dc28341e426e0eca1a003441cf1e7702392c99dc800fa68f3b045c4b7e45a4eea04

Download Submit
C:\containerReview\OXQ86avfgsO.bat

Filesize
32B

MD5
20712e05e1d21aa38267bcc8284e8851

SHA1
4724f853b3bc508a82ff5bc48bec37f3eb22f69f

SHA256
c5a04e01066ed88a7a5dc3efd963adf2a2984864cc79e3a9e3a298a5ca30e2b9

SHA512
e98cb314476cd615a1f7cf5d030f25d99096fcb3fb22b6abcb0fef9b7c0875c739bf59fc8d4077733f87662955016929cbc773897c934dcf118e9c832c49f6e6

Download Submit
C:\containerReview\RefHost.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
C:\containerReview\RefHost.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
C:\containerReview\RefHost.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
\containerReview\RefHost.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
\containerReview\RefHost.exe

Filesize
2.8MB

MD5
db5c6b8fc7a076d4d7d31c28c69de589

SHA1
1c0f534e98f117660615f0d29ae10f5230153e49

SHA256
5ff117c3b609dfc143010b5e48ac3f8c7a959165ccf60ab079916dccc2dcb439

SHA512
f3e3252fec72538933a244c3e5ff59ce086f8976e823f1460ff351e7e194836597c586d934204a2a5309bcf0b44607ef6b80ce9987bbc60d9d0ebc908575cce2

Download Submit
memory/948-134-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/948-114-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/948-113-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/948-112-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/948-111-0x00000000010C0000-0x000000000139C000-memory.dmp

Filesize
2.9MB

Download
memory/1944-138-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-137-0x0000000000D40000-0x000000000101C000-memory.dmp

Filesize
2.9MB

Download
memory/1944-139-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/1944-140-0x00000000004C0000-0x0000000000516000-memory.dmp

Filesize
344KB

Download
memory/1944-150-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-151-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/3000-73-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/3000-80-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/3000-88-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/3000-89-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/3000-90-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/3000-91-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/3000-86-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/3000-108-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-85-0x00000000008B0000-0x00000000008BC000-memory.dmp

Filesize
48KB

Download
memory/3000-84-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/3000-83-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/3000-82-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/3000-81-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/3000-87-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/3000-79-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/3000-78-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/3000-77-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/3000-76-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/3000-75-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/3000-74-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/3000-70-0x0000000000930000-0x0000000000C0C000-memory.dmp

Filesize
2.9MB

Download
memory/3000-72-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/3000-71-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/3000-69-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-54-0x0000000000400000-0x00000000006CD000-memory.dmp

Filesize
2.8MB

Download
memory/3068-62-0x0000000000400000-0x00000000006CD000-memory.dmp

Filesize
2.8MB

Download