dcrat | 3c8446105b8c784de66d9f19aea1ff4a12afda154f2f35056fa6acfecfa6453e

Analysis

max time kernel
3s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
Size

3.4MB
MD5

638809035dd3fafc1377ffd71f4a5296
SHA1

1a5920fc6fcb463288bc07023ad5840ebbca4b11
SHA256

1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
SHA512

3ddd44ead391ab72c5fe9476608a1c908f983ff6dacb499b27e21bb638d1da88951335262562ede806100cb83d72283bf6446e02a422e3a06b567e7406dbc896
SSDEEP

98304:uTbZZD8r18Vx4IuzrIXltEDjm/PtLORlm0:W3DY2/IgjEu4Q

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3808	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3808	schtasks.exe	97

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00080000000224fc-18.dat	dcrat
behavioral2/memory/5092-17-0x0000000000400000-0x0000000000744000-memory.dmp	dcrat
behavioral2/files/0x0006000000023229-48.dat	dcrat
behavioral2/memory/4940-49-0x0000000000FA0000-0x00000000010D8000-memory.dmp	dcrat
behavioral2/files/0x0006000000023229-47.dat	dcrat
behavioral2/files/0x0006000000023231-59.dat	dcrat
behavioral2/files/0x0006000000023244-92.dat	dcrat
behavioral2/files/0x0006000000023244-91.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3964	schtasks.exe
3432	Everything-1.4.1.1024.x86-Setup.exe
4940	backgroundTaskHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3432	Everything-1.4.1.1024.x86-Setup.exe
3432	Everything-1.4.1.1024.x86-Setup.exe
3432	Everything-1.4.1.1024.x86-Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3976	schtasks.exe
4824	schtasks.exe
5052	schtasks.exe
4152	schtasks.exe
2616	schtasks.exe
2244	schtasks.exe
3184	schtasks.exe
3356	schtasks.exe
452	schtasks.exe
4576	schtasks.exe
680	schtasks.exe
2472	schtasks.exe
2520	schtasks.exe
2452	schtasks.exe
2168	schtasks.exe
396	schtasks.exe
4948	schtasks.exe
3404	schtasks.exe
4968	schtasks.exe
3644	schtasks.exe
3384	schtasks.exe
2648	schtasks.exe
632	schtasks.exe
3560	schtasks.exe
4880	schtasks.exe
2492	schtasks.exe
4056	schtasks.exe
2288	schtasks.exe
2584	schtasks.exe
3768	schtasks.exe
4836	schtasks.exe
1420	schtasks.exe
3964	schtasks.exe
3344	schtasks.exe
3176	schtasks.exe
4616	schtasks.exe
5108	schtasks.exe
4412	schtasks.exe
4028	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3964	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	134
PID 5092 wrote to memory of 3964	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	134
PID 5092 wrote to memory of 3964	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	134
PID 5092 wrote to memory of 3432	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	92
PID 5092 wrote to memory of 3432	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	92
PID 5092 wrote to memory of 3432	5092	1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe	92
PID 3964 wrote to memory of 4844	3964	schtasks.exe	93
PID 3964 wrote to memory of 4844	3964	schtasks.exe	93
PID 3964 wrote to memory of 4844	3964	schtasks.exe	93
PID 4844 wrote to memory of 3952	4844	WScript.exe	96
PID 4844 wrote to memory of 3952	4844	WScript.exe	96
PID 4844 wrote to memory of 3952	4844	WScript.exe	96
PID 3952 wrote to memory of 4940	3952	cmd.exe	152
PID 3952 wrote to memory of 4940	3952	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe
"C:\Users\Admin\AppData\Local\Temp\1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe"
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MscontainerFontdhcp\G5AvcxxZA.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\MscontainerFontdhcp\zzCGYue9RCi0hOJ5cjYS.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3952
- C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3432

C:\MscontainerFontdhcp\containerFontbroker.exe
"C:\MscontainerFontdhcp\containerFontbroker.exe"
1⤵
PID:4940
- C:\Program Files (x86)\Windows Mail\System.exe
  "C:\Program Files (x86)\Windows Mail\System.exe"
  2⤵
  PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MscontainerFontdhcp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MscontainerFontdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MscontainerFontdhcp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\MscontainerFontdhcp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MscontainerFontdhcp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MscontainerFontdhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\ServiceModelOperation 3.0.0.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MscontainerFontdhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Executes dropped EXE
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MscontainerFontdhcp\G5AvcxxZA.vbe

Filesize
213B

MD5
930f4c2b6a849f29927883268ac57b49

SHA1
ec676d52693758d87ba083ec44706b9044652104

SHA256
61ed23ee7f1d1bf8c046fa1381234b80ba4052269a4709372011d0e375c4b0c9

SHA512
d759ebac18f6d65ef9dcf17bb7e3934fb1dad4c9de146d89b976601d127c86e216d4a36b6a9edcf716d5398bd1b5231d729702504e4159a13c5107b4dc105361

Download Submit
C:\MscontainerFontdhcp\containerFontbroker.exe

Filesize
3KB

MD5
1c257a04bf387ccf30d88802d235d1d1

SHA1
e61f3aaa84ad0f0c42dc953ab742b596a16d156c

SHA256
aefe9f2c111957aba07ebbfb243bccb88b4349503a14d244d5f745639b5bf7c4

SHA512
9d684de83eda33a72c8ffe07e5648ab293e0df6b385fee96f107ef311e6d00128100223202181e4405dc7956044479f0d53ff10603cd57fc831941c4177bb6aa

Download Submit
C:\MscontainerFontdhcp\containerFontbroker.exe

Filesize
32KB

MD5
963d8dd581cc77d056bbd1955ee21c04

SHA1
be2b6d1c82d2a626cff6c5bdc8d7157c3152f0de

SHA256
a035d29b090c712bc79a260693a7ab76f72d20779602e009229a60a7ba159555

SHA512
307ecbbd44cb250586a02094118d1da91bd772645b5f309db90ee51480ef7a7496ff026b8b768edca04ac3c838e1ea64b0039b00f1436872970545ee6afaee3e

Download Submit
C:\MscontainerFontdhcp\zzCGYue9RCi0hOJ5cjYS.bat

Filesize
48B

MD5
5ff4a2faf2b122c2c71cf545ec0bdc39

SHA1
5aeb3be0aae28fba00141f574d7842dc4c781f80

SHA256
d2d1fc8195907357a335c13c6bdc50cfbd114eb4a375ae1a23c6892c99b70c8e

SHA512
00fbd02310a33795d83e4632646f5ca2806c1cedbf4947d30a9f36ff140cb13739d30e2c9f8b5ee8741ca42f4760af8c63075c288322e5a75e3fa7738dbae158

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\unsecapp.exe

Filesize
183KB

MD5
492fccba99e7e2f7eafc7009c6104cf2

SHA1
cba4a0d768c0ee4e52a8e8f9682641a419d2df0c

SHA256
825c0c57abc933e4ab6ec65b3bfb20d9434ce73a072b9523e2acdea03870d63a

SHA512
63f9e8daf6851bd8b01215a3d27b8b396b000af6399a8fb2aaa80ff1343ba5ee0da088e524b9fda581d8119f250cf9def5a5c2a77bb5668f044f70f8d655c961

Download Submit
C:\Program Files (x86)\Windows Mail\System.exe

Filesize
50KB

MD5
0a89abcb6bbdfc4f16b042e3958789e5

SHA1
8bdbda155c5e1db420baf9de9574b721fe3bd2f8

SHA256
418373f79157ed7ebf96de5c9a0872630b0a5c768fa7ef33a302b10c9939ac0a

SHA512
c53955b5506c94ceadb711ea203bdeb13b14376f4eb719445e3e5e85f94e8def1d70af6380a7bcbaf2183a818e59b4d8dd5b2ff63d8e46c5d695395a422d253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x86-Setup.exe

Filesize
92KB

MD5
e31aa4ffc19819b63cceddd37907bd75

SHA1
24a302e762d66db5062f98894a17e0cbc6c89b80

SHA256
5c504697ee8c5cdcc4b128352227816e1066c10bcb835da8b38854109c810fa9

SHA512
ff5f65a9e99e3f0ee342e23fa346d8d917d3e51ad5e1704c4709e0fc708ed511d241414c677d45b8684497365dadeaa26033c395ece2a451aaee6b7379b8d311

Download Submit
C:\Users\Admin\AppData\Local\Temp\Everything-1.4.exe

Filesize
39KB

MD5
241e590dfe046121d17f957dfeded176

SHA1
63a141be880966280dfacb6cd3d4e2e6127eafce

SHA256
fb8355c9368414b43784d8220335f67a9afd9d902edf09316ae7d5d3c15ffbef

SHA512
92b8362cd6736b6ac5dfe142dd6869169eba5a91fbe12b3271b7d2704697e5364a852cc152c45870cec6266daac58640a03a0eeed93d8b731225018b7a1c4f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FF.tmp\InstallOptions.dll

Filesize
13KB

MD5
02944d4213ed15789f6b9ba91dff319c

SHA1
efc3a0ec31ffe68a9e901950e6531d499456bb1c

SHA256
c5ee95c7f7dd88d940a3e886e46e5b7943e31a79bc1b2bf5a8e75948bb91246e

SHA512
a304204de78fdc6301277dfd46ca7f90457b52e80454d1e4c34f2d1dde9850c165c27b38acedb45b57a060b33d1acb854add52ee6c9715e152e2b3dd6a9c7d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FF.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh72FF.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
memory/3872-96-0x000000001B850000-0x000000001B860000-memory.dmp

Filesize
64KB

Download
memory/3872-94-0x00007FFBE4EC0000-0x00007FFBE5981000-memory.dmp

Filesize
10.8MB

Download
memory/3872-110-0x00007FFBE4EC0000-0x00007FFBE5981000-memory.dmp

Filesize
10.8MB

Download
memory/4940-54-0x0000000003330000-0x0000000003346000-memory.dmp

Filesize
88KB

Download
memory/4940-56-0x0000000003470000-0x0000000003478000-memory.dmp

Filesize
32KB

Download
memory/4940-55-0x0000000001940000-0x000000000194E000-memory.dmp

Filesize
56KB

Download
memory/4940-53-0x00000000034C0000-0x0000000003510000-memory.dmp

Filesize
320KB

Download
memory/4940-52-0x0000000003310000-0x000000000332C000-memory.dmp

Filesize
112KB

Download
memory/4940-51-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/4940-50-0x00007FFBE4EC0000-0x00007FFBE5981000-memory.dmp

Filesize
10.8MB

Download
memory/4940-49-0x0000000000FA0000-0x00000000010D8000-memory.dmp

Filesize
1.2MB

Download
memory/4940-95-0x00007FFBE4EC0000-0x00007FFBE5981000-memory.dmp

Filesize
10.8MB

Download
memory/5092-17-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads