dcrat | 90b1c605b3a6431b1dcc3707f976fcb71181109590403df8fcaa17eee16904dc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Backdoor.MSIL.DCRat.exe
Size

2.0MB
MD5

d2d681fe198fb1e5cedfe2d7d163e61a
SHA1

15f50cd3233206e2fd1d8cf8398e31f4fb0ca1ef
SHA256

90b1c605b3a6431b1dcc3707f976fcb71181109590403df8fcaa17eee16904dc
SHA512

79979f349b2f594de0e5267f5a6a7ee2290f7ba219d99ff249621aa07c5091004bd2870b6576506d755e99578a963d38216f1746aa3d9abc370aa76720315a63
SSDEEP

49152:tqHEuTrhUqQcvwHnX9B0gQ1TgqAsoqbBmXob3:IHrUqQcvQnX9B0gQ1TgqAsRVmXob3

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2756	schtasks.exe
		1364	schtasks.exe
		2348	schtasks.exe
		1900	schtasks.exe
		1628	schtasks.exe
		1520	schtasks.exe
		540	schtasks.exe
		1512	schtasks.exe
		2504	schtasks.exe
		1552	schtasks.exe
		2104	schtasks.exe
		2260	schtasks.exe
		2112	schtasks.exe
		1836	schtasks.exe
		2376	schtasks.exe
		1652	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe		HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16		HEUR-Backdoor.MSIL.DCRat.exe
		1924	schtasks.exe
		328	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\", \"C:\\Program Files\\Windows Media Player\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2432	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2432	schtasks.exe	28

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000DA0000-0x0000000000FAA000-memory.dmp	dcrat
behavioral1/files/0x0006000000017052-31.dat	dcrat
behavioral1/files/0x0007000000018f3a-114.dat	dcrat
behavioral1/files/0x0007000000018f3a-111.dat	dcrat
behavioral1/memory/344-121-0x0000000000B10000-0x0000000000D1A000-memory.dmp	dcrat
behavioral1/files/0x0007000000018f3a-120.dat	dcrat

Detects executables packed with SmartAssembly 5 IoCs

resource	yara_rule
behavioral1/memory/1972-7-0x00000000005A0000-0x00000000005B0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1972-13-0x0000000000C60000-0x0000000000C6C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1972-15-0x0000000000D00000-0x0000000000D0C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1972-20-0x0000000000D40000-0x0000000000D4C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1972-21-0x0000000000D50000-0x0000000000D5A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
344	services.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Media Player\\lsass.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Media Player\\lsass.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sppsvc.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\services.exe\""	HEUR-Backdoor.MSIL.DCRat.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\Windows Media Player\lsass.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX3DAD.tmp	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\csrss.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\c5b4cb5e9653cc	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\Google\Chrome\Application\886983d96e3d3e	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX3FB1.tmp	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX41B5.tmp	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\Windows Media Player\6203df4a6bafc7	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files\Google\Chrome\Application\csrss.exe	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\Windows Media Player\lsass.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4697.tmp	HEUR-Backdoor.MSIL.DCRat.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	HEUR-Backdoor.MSIL.DCRat.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\b75386f1303e64	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX4426.tmp	HEUR-Backdoor.MSIL.DCRat.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	HEUR-Backdoor.MSIL.DCRat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2376	schtasks.exe
2348	schtasks.exe
2756	schtasks.exe
328	schtasks.exe
540	schtasks.exe
2504	schtasks.exe
1628	schtasks.exe
1924	schtasks.exe
2260	schtasks.exe
2112	schtasks.exe
1652	schtasks.exe
1364	schtasks.exe
1520	schtasks.exe
2104	schtasks.exe
1512	schtasks.exe
1900	schtasks.exe
1552	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
2636	powershell.exe
2656	powershell.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
2056	powershell.exe
1972	HEUR-Backdoor.MSIL.DCRat.exe
2576	powershell.exe
2624	powershell.exe
2960	powershell.exe
2628	powershell.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe
344	services.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	HEUR-Backdoor.MSIL.DCRat.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	344	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2628	1972	HEUR-Backdoor.MSIL.DCRat.exe	47
PID 1972 wrote to memory of 2628	1972	HEUR-Backdoor.MSIL.DCRat.exe	47
PID 1972 wrote to memory of 2628	1972	HEUR-Backdoor.MSIL.DCRat.exe	47
PID 1972 wrote to memory of 2576	1972	HEUR-Backdoor.MSIL.DCRat.exe	48
PID 1972 wrote to memory of 2576	1972	HEUR-Backdoor.MSIL.DCRat.exe	48
PID 1972 wrote to memory of 2576	1972	HEUR-Backdoor.MSIL.DCRat.exe	48
PID 1972 wrote to memory of 2656	1972	HEUR-Backdoor.MSIL.DCRat.exe	49
PID 1972 wrote to memory of 2656	1972	HEUR-Backdoor.MSIL.DCRat.exe	49
PID 1972 wrote to memory of 2656	1972	HEUR-Backdoor.MSIL.DCRat.exe	49
PID 1972 wrote to memory of 2636	1972	HEUR-Backdoor.MSIL.DCRat.exe	50
PID 1972 wrote to memory of 2636	1972	HEUR-Backdoor.MSIL.DCRat.exe	50
PID 1972 wrote to memory of 2636	1972	HEUR-Backdoor.MSIL.DCRat.exe	50
PID 1972 wrote to memory of 2624	1972	HEUR-Backdoor.MSIL.DCRat.exe	51
PID 1972 wrote to memory of 2624	1972	HEUR-Backdoor.MSIL.DCRat.exe	51
PID 1972 wrote to memory of 2624	1972	HEUR-Backdoor.MSIL.DCRat.exe	51
PID 1972 wrote to memory of 2960	1972	HEUR-Backdoor.MSIL.DCRat.exe	52
PID 1972 wrote to memory of 2960	1972	HEUR-Backdoor.MSIL.DCRat.exe	52
PID 1972 wrote to memory of 2960	1972	HEUR-Backdoor.MSIL.DCRat.exe	52
PID 1972 wrote to memory of 2056	1972	HEUR-Backdoor.MSIL.DCRat.exe	53
PID 1972 wrote to memory of 2056	1972	HEUR-Backdoor.MSIL.DCRat.exe	53
PID 1972 wrote to memory of 2056	1972	HEUR-Backdoor.MSIL.DCRat.exe	53
PID 1972 wrote to memory of 344	1972	HEUR-Backdoor.MSIL.DCRat.exe	61
PID 1972 wrote to memory of 344	1972	HEUR-Backdoor.MSIL.DCRat.exe	61
PID 1972 wrote to memory of 344	1972	HEUR-Backdoor.MSIL.DCRat.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\csrss.exe

Filesize
2.0MB

MD5
d2d681fe198fb1e5cedfe2d7d163e61a

SHA1
15f50cd3233206e2fd1d8cf8398e31f4fb0ca1ef

SHA256
90b1c605b3a6431b1dcc3707f976fcb71181109590403df8fcaa17eee16904dc

SHA512
79979f349b2f594de0e5267f5a6a7ee2290f7ba219d99ff249621aa07c5091004bd2870b6576506d755e99578a963d38216f1746aa3d9abc370aa76720315a63

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe

Filesize
8KB

MD5
98e70d1a72b25378b2007a17552f1105

SHA1
81e58050571a94f39e85cdff13d6de5444deae32

SHA256
14645c69d6eed59a4e78661b244cb53bbcf3df8c46892868d6b8c3ffced45c51

SHA512
10db76d54e990f780074666168c0316f65d6fe1cec0d0baa93d9a5a150446247de50167508a545a0150991bb2e967c1e4d055613f5198aee23ad2d1a8d32a815

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe

Filesize
2KB

MD5
2383f05530a628cdb9cb4fbbece7e0ae

SHA1
e1acf6e470a0a95bd6c0f6bec6f21ca7552627f4

SHA256
4203b4e25dfea519eb4366774988af8411bf4cc31bc2dae7d8762c485b7d24e9

SHA512
d47d8c864b963495ebd45b4fac5d2b3956551ec99aaa0bb9f2ae1c6a9df671603cbb944b7bba104c9b3af56bd2205daad0ff934824c34bae524ab2e7d3e6a8b4

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe

Filesize
2.0MB

MD5
2131fed34c207e75b2fd222b8812b23d

SHA1
42236a19ab5d155743559ca14cdbcea5431bd37c

SHA256
d5ead960023ebc3c80c02f62523a261a7a9b4036d46910248e808ec2334527bd

SHA512
2d5981ad6e6d2850055a63e6e33c3bbdc8634fe95d3bb222f810770ea39821b9da15cfd02459df6af09f7cf6cde48b8291fa03dd1c11da1a374391742969a7f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB034.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
43210f4cd4b5108a90e903efaacfc070

SHA1
9385477c883330f8f79ac1d1c8fe31a8c3278b59

SHA256
053b1768e4fa08930d781226af03d84edc3575275c9b94b713530d18fce8c854

SHA512
779f4a0d26269fc21f01be614bb99f87bf6a951f4973a178c115278c541b348d1cc167f33769ed78b0ecca7799ab072593a664d41b893280178d6e6bcdd4551e

Download Submit
memory/344-152-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/344-121-0x0000000000B10000-0x0000000000D1A000-memory.dmp

Filesize
2.0MB

Download
memory/1972-19-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1972-7-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1972-11-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1972-12-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/1972-13-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/1972-14-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/1972-15-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/1972-16-0x0000000000D10000-0x0000000000D1E000-memory.dmp

Filesize
56KB

Download
memory/1972-17-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/1972-18-0x0000000000D30000-0x0000000000D3E000-memory.dmp

Filesize
56KB

Download
memory/1972-20-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/1972-1-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1972-21-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/1972-22-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/1972-9-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1972-38-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1972-8-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/1972-10-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1972-6-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/1972-5-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1972-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1972-119-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1972-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1972-2-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1972-0-0x0000000000DA0000-0x0000000000FAA000-memory.dmp

Filesize
2.0MB

Download
memory/2056-132-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2056-130-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2056-131-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-133-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2576-154-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-153-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2576-156-0x0000000002CC4000-0x0000000002CC7000-memory.dmp

Filesize
12KB

Download
memory/2576-135-0x0000000002CC0000-0x0000000002D40000-memory.dmp

Filesize
512KB

Download
memory/2576-134-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-140-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2624-145-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-137-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-148-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/2624-141-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2624-139-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-138-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2628-151-0x0000000002E4B000-0x0000000002EB2000-memory.dmp

Filesize
412KB

Download
memory/2628-147-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-149-0x0000000002E40000-0x0000000002EC0000-memory.dmp

Filesize
512KB

Download
memory/2628-150-0x0000000002E44000-0x0000000002E47000-memory.dmp

Filesize
12KB

Download
memory/2636-155-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-128-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-136-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2636-94-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2636-126-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-129-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2636-127-0x00000000022D0000-0x0000000002350000-memory.dmp

Filesize
512KB

Download
memory/2656-123-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-124-0x00000000022AB000-0x0000000002312000-memory.dmp

Filesize
412KB

Download
memory/2656-122-0x00000000022A4000-0x00000000022A7000-memory.dmp

Filesize
12KB

Download
memory/2656-125-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-88-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-142-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-157-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-146-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2960-144-0x000007FEED7B0000-0x000007FEEE14D000-memory.dmp

Filesize
9.6MB

Download
memory/2960-143-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download