dcrat | 310d1c1dbab48d7859d151a039887c40da8f92fdf2e6d9be8e73fb3d9ef22e51

Analysis

max time kernel
155s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1BF1C3C534F06F4A065A86781FB1CBE2.exe
Size

1.2MB
MD5

1bf1c3c534f06f4a065a86781fb1cbe2
SHA1

af2a14b5c20831e437509f2b9d4b3be2abaacf3d
SHA256

310d1c1dbab48d7859d151a039887c40da8f92fdf2e6d9be8e73fb3d9ef22e51
SHA512

a93ac77e4db5c312f4aa68449695cdbd82d795c3abcf818ead8544b424dd9a0e673f6bb8a9c7b233d0a6dc27c73286a8a1fe2391773071e7ad52bca668cac36b
SSDEEP

24576:4FxZRGiumPMIAMId+hmi15r4ktrMLljj8xsgJ3tUh:Exbuogdami1XMLljj8xsgFe

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\", \"C:\\odt\\services.exe\", \"C:\\Windows\\tracing\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\", \"C:\\odt\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\", \"C:\\odt\\services.exe\", \"C:\\Windows\\tracing\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\odt\\System.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\odt\\unsecapp.exe\", \"C:\\Users\\Default User\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\", \"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\odt\\sihost.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\", \"C:\\odt\\services.exe\", \"C:\\Windows\\tracing\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4420	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4420	schtasks.exe	90

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4472-0-0x0000000000450000-0x0000000000588000-memory.dmp	dcrat
behavioral2/files/0x000600000002320d-16.dat	dcrat
behavioral2/files/0x000600000002322d-48.dat	dcrat
behavioral2/files/0x000600000002322d-51.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	1BF1C3C534F06F4A065A86781FB1CBE2.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	unsecapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default User\\backgroundTaskHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\tracing\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\odt\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1BF1C3C534F06F4A065A86781FB1CBE2 = "\"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1BF1C3C534F06F4A065A86781FB1CBE2 = "\"C:\\Recovery\\WindowsRE\\1BF1C3C534F06F4A065A86781FB1CBE2.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\odt\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default User\\backgroundTaskHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\IdentityCRL\\production\\TextInputHost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\odt\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\tracing\\sihost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	1BF1C3C534F06F4A065A86781FB1CBE2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ipinfo.io
62	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	1BF1C3C534F06F4A065A86781FB1CBE2.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	1BF1C3C534F06F4A065A86781FB1CBE2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\66fc9ff0ee96c2	1BF1C3C534F06F4A065A86781FB1CBE2.exe
File created	C:\Windows\IdentityCRL\production\TextInputHost.exe	1BF1C3C534F06F4A065A86781FB1CBE2.exe
File created	C:\Windows\IdentityCRL\production\22eafd247d37c3	1BF1C3C534F06F4A065A86781FB1CBE2.exe
File created	C:\Windows\tracing\sihost.exe	1BF1C3C534F06F4A065A86781FB1CBE2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3124	schtasks.exe
3924	schtasks.exe
4896	schtasks.exe
4588	schtasks.exe
4932	schtasks.exe
660	schtasks.exe
5072	schtasks.exe
4640	schtasks.exe
4492	schtasks.exe
3896	schtasks.exe
2464	schtasks.exe
5084	schtasks.exe
3840	schtasks.exe
4004	schtasks.exe
396	schtasks.exe
404	schtasks.exe
4280	schtasks.exe
4828	schtasks.exe
1952	schtasks.exe
2936	schtasks.exe
1436	schtasks.exe
3312	schtasks.exe
1480	schtasks.exe
1272	schtasks.exe
4544	schtasks.exe
3340	schtasks.exe
3476	schtasks.exe
2740	schtasks.exe
2344	schtasks.exe
3336	schtasks.exe
4080	schtasks.exe
2920	schtasks.exe
2992	schtasks.exe
3264	schtasks.exe
3748	schtasks.exe
5036	schtasks.exe
1604	schtasks.exe
3288	schtasks.exe
3808	schtasks.exe
4100	schtasks.exe
4056	schtasks.exe
1664	schtasks.exe
3096	schtasks.exe
2056	schtasks.exe
2604	schtasks.exe
1796	schtasks.exe
3284	schtasks.exe
1600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe
4636	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe
Token: SeDebugPrivilege	4636	unsecapp.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4636	4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe	140
PID 4472 wrote to memory of 4636	4472	1BF1C3C534F06F4A065A86781FB1CBE2.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1BF1C3C534F06F4A065A86781FB1CBE2.exe
"C:\Users\Admin\AppData\Local\Temp\1BF1C3C534F06F4A065A86781FB1CBE2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Recovery\WindowsRE\unsecapp.exe
  "C:\Recovery\WindowsRE\unsecapp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1BF1C3C534F06F4A065A86781FB1CBE21" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\1BF1C3C534F06F4A065A86781FB1CBE2.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1BF1C3C534F06F4A065A86781FB1CBE21" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\1BF1C3C534F06F4A065A86781FB1CBE2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1BF1C3C534F06F4A065A86781FB1CBE2" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\1BF1C3C534F06F4A065A86781FB1CBE2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\tracing\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\unsecapp.exe

Filesize
653KB

MD5
3e12ae1b77fded6a07fda292be2348d0

SHA1
78d46d9bbaff27f9f42d27e0cb4b4390d6e651b6

SHA256
5fe7c182661a599e480c6f920f65b681ee5b2e1a611d28b39870af1184a5e97c

SHA512
6abba23d5155c21be80e511648a796c8fd7a65b13c3c6fdbb08d82574e0b4036391079023bf43ae5fbaeafd9a68e6f730adbf04125c5fae2f06f7377ffd25d4c

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
576KB

MD5
3e063d337296dea60569999175408c19

SHA1
12a9aaa5d129752a078c2a6b9e9dcd748ffee043

SHA256
e4b28157b072bc97c76e17b9ce2d3ac090b13b4d67719a166b889492f4127fcd

SHA512
e1f86a276c238e1f7377472e9a89f0de953dbe8818acd5c30728dfa21e9b621ab6176d17e643608ca3701dc18a56d64bc3cc26f9c8596b679f04eb07f1d1eac4

Download Submit
C:\odt\unsecapp.exe

Filesize
439KB

MD5
e2e091197bf93ca09cf2e2f2d4a5fe38

SHA1
28bc28d21447f23364940ba0b33622c0245434e3

SHA256
c9e82ccc8b564bd881d35dc3e21c62bea406957751a481d95d38ff230fdd8754

SHA512
33245ede13bc55e4a062cc6d23866c328ed1afc17d29ae9a39ed2ac73812c0ac5a39d9f1ab3c64b78a1221766ccf58ae5eba96b2eabe5cb306a2d74cae1b3a7a

Download Submit
memory/4472-4-0x000000001B790000-0x000000001B7E0000-memory.dmp

Filesize
320KB

Download
memory/4472-0-0x0000000000450000-0x0000000000588000-memory.dmp

Filesize
1.2MB

Download
memory/4472-5-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/4472-6-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/4472-7-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/4472-3-0x00000000026A0000-0x00000000026BC000-memory.dmp

Filesize
112KB

Download
memory/4472-2-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/4472-50-0x00007FF90EA50000-0x00007FF90F511000-memory.dmp

Filesize
10.8MB

Download
memory/4472-1-0x00007FF90EA50000-0x00007FF90F511000-memory.dmp

Filesize
10.8MB

Download
memory/4636-52-0x00007FF90EA50000-0x00007FF90F511000-memory.dmp

Filesize
10.8MB

Download
memory/4636-53-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/4636-54-0x00007FF90EA50000-0x00007FF90F511000-memory.dmp

Filesize
10.8MB

Download
memory/4636-55-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download