dcrat | ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Size

1.8MB
MD5

042131ad58f4624f9722ce342319396b
SHA1

e55031479a1a376eb230d91ae3352dfb24b5abaf
SHA256

ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1
SHA512

aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505
SSDEEP

24576:hV2ut7GyxsE5HOT3RcchdduLG0ZAQo0wRBq+QEf9oDGIv:bjtFsRcQdiG0ZvcuGy

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		276	schtasks.exe
		2924	schtasks.exe
		2580	schtasks.exe
		1416	schtasks.exe
		1956	schtasks.exe
		2920	schtasks.exe
		2272	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\7a0fd90576e088		NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
		2984	schtasks.exe
		1936	schtasks.exe
		2992	schtasks.exe
		1512	schtasks.exe
		1724	schtasks.exe
		2832	schtasks.exe
		2660	schtasks.exe
		2648	schtasks.exe
		1012	schtasks.exe
		1408	schtasks.exe
		760	schtasks.exe
		788	schtasks.exe
		2208	schtasks.exe
		1040	schtasks.exe
		2308	schtasks.exe
		2876	schtasks.exe
		1368	schtasks.exe
		2536	schtasks.exe
		2268	schtasks.exe
File created	C:\Program Files\Windows Media Player\Icons\sppsvc.exe		NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
		2380	schtasks.exe
		2960	schtasks.exe
		2668	schtasks.exe
		2172	schtasks.exe
		2940	schtasks.exe
		2688	schtasks.exe
		436	schtasks.exe
		1912	schtasks.exe
		1768	schtasks.exe
		2908	schtasks.exe
		564	schtasks.exe
		1644	schtasks.exe
		1064	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\", \"C:\\Program Files\\Java\\winlogon.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\", \"C:\\Program Files\\Java\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\", \"C:\\Program Files\\Java\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\", \"C:\\MSOCache\\All Users\\lsass.exe\", \"C:\\Windows\\security\\audit\\explorer.exe\", \"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\", \"C:\\Windows\\Logs\\DPX\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\de-DE\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\", \"C:\\Program Files\\Java\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2240	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2240	schtasks.exe	28

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2852-0-0x0000000000820000-0x00000000009F2000-memory.dmp	dcrat
behavioral1/files/0x0009000000016cbe-18.dat	dcrat
behavioral1/files/0x0006000000016d26-40.dat	dcrat
behavioral1/files/0x0006000000016d26-41.dat	dcrat
behavioral1/memory/1032-42-0x0000000000EA0000-0x0000000001072000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1032	dwm.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\winlogon.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\de-DE\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Logs\\DPX\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\winlogon.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\de-DE\\dwm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\security\\audit\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\d10510a2-6fc3-11ee-bc6f-a02387f916ed\\taskhost.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Logs\\DPX\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\lsass.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\security\\audit\\explorer.exe\""	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\7a0fd90576e088	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Java\winlogon.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\dwm.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Windows Media Player\Icons\sppsvc.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Java\cc11b995f2a76d	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\6cb0b6c459d5d3	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\6203df4a6bafc7	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\security\audit\explorer.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\security\audit\7a0fd90576e088	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\de-DE\dwm.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\de-DE\6cb0b6c459d5d3	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\Registration\CRMLog\csrss.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\Logs\DPX\lsm.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\Logs\DPX\101b941d020240	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\servicing\Packages\sppsvc.exe	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2920	schtasks.exe
2380	schtasks.exe
2648	schtasks.exe
2984	schtasks.exe
436	schtasks.exe
1956	schtasks.exe
760	schtasks.exe
1768	schtasks.exe
2272	schtasks.exe
1040	schtasks.exe
2688	schtasks.exe
2660	schtasks.exe
2580	schtasks.exe
1416	schtasks.exe
2960	schtasks.exe
2924	schtasks.exe
2308	schtasks.exe
2832	schtasks.exe
2992	schtasks.exe
276	schtasks.exe
2536	schtasks.exe
1512	schtasks.exe
788	schtasks.exe
1912	schtasks.exe
2668	schtasks.exe
2268	schtasks.exe
2172	schtasks.exe
1644	schtasks.exe
1064	schtasks.exe
2940	schtasks.exe
1012	schtasks.exe
2876	schtasks.exe
1408	schtasks.exe
2208	schtasks.exe
2908	schtasks.exe
1936	schtasks.exe
1724	schtasks.exe
564	schtasks.exe
1368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
1032	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
Token: SeDebugPrivilege	1032	dwm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1032	2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe	68
PID 2852 wrote to memory of 1032	2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe	68
PID 2852 wrote to memory of 1032	2852	NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1exe_JC.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\de-DE\dwm.exe
  "C:\Windows\de-DE\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\security\audit\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\security\audit\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\security\audit\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\DPX\lsm.exe

Filesize
1.8MB

MD5
042131ad58f4624f9722ce342319396b

SHA1
e55031479a1a376eb230d91ae3352dfb24b5abaf

SHA256
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1

SHA512
aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505

Download Submit
C:\Windows\de-DE\dwm.exe

Filesize
1.8MB

MD5
042131ad58f4624f9722ce342319396b

SHA1
e55031479a1a376eb230d91ae3352dfb24b5abaf

SHA256
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1

SHA512
aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505

Download Submit
C:\Windows\de-DE\dwm.exe

Filesize
1.8MB

MD5
042131ad58f4624f9722ce342319396b

SHA1
e55031479a1a376eb230d91ae3352dfb24b5abaf

SHA256
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1

SHA512
aaed88b7be43daa14798b867c3ec3c67c0c079bb50a496ff0ecf4db7709f77917882c9d8f02ad0e6b090ce5a3dca8e644948631b539aaca3885908df92e34505

Download Submit
memory/1032-48-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/1032-46-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1032-44-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/1032-43-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/1032-42-0x0000000000EA0000-0x0000000001072000-memory.dmp

Filesize
1.8MB

Download
memory/2852-5-0x0000000000620000-0x0000000000676000-memory.dmp

Filesize
344KB

Download
memory/2852-9-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2852-8-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2852-7-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2852-6-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2852-0-0x0000000000820000-0x00000000009F2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-4-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2852-45-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2852-2-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2852-47-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2852-1-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download