dcrat | 0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc

General

Target

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
Size

1.1MB
MD5

48e5ef4a0ca234c29ceecab25fe23d91
SHA1

058fec1d069ba2dd6f7ef3af7ff65066b5b9f7b9
SHA256

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc
SHA512

6ba2d8666b43f80e86e1fbf8f4a694d1fe165d86d467ace38094adc585f77a68665dfa7ea7f2dc55ea8977971926b0cc947f410738e8670d8b344471f07dd65b
SSDEEP

24576:U2G/nvxW3Ww0tLmbqJB7ioiB9yzs9/Hi+i01ZxtYZH:UbA30Lmby7Or9vDE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exebrokercrt.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3200	schtasks.exe
3204	schtasks.exe
2220	schtasks.exe
3232	schtasks.exe
512	schtasks.exe
3328	schtasks.exe
4444	schtasks.exe
3292	schtasks.exe
4620	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\ebf1f9fa8afd6d	brokercrt.exe
2008	schtasks.exe
3712	schtasks.exe
1636	schtasks.exe
3536	schtasks.exe
2396	schtasks.exe
3944	schtasks.exe
2376	schtasks.exe
4056	schtasks.exe
4452	schtasks.exe
1000	schtasks.exe
4872	schtasks.exe
396	schtasks.exe
736	schtasks.exe
File created	C:\Windows\DiagTrack\Settings\5940a34987c991	brokercrt.exe
376	schtasks.exe
212	schtasks.exe
3020	schtasks.exe
2192	schtasks.exe
848	schtasks.exe
3328	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\eddb19405b7ce1	brokercrt.exe
1268	schtasks.exe
3292	schtasks.exe
3632	schtasks.exe
1160	schtasks.exe
4928	schtasks.exe
4904	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24	brokercrt.exe
3944	schtasks.exe
4604	schtasks.exe
4272	schtasks.exe
3184	schtasks.exe
4464	schtasks.exe
2192	schtasks.exe
2744	schtasks.exe
3176	schtasks.exe
2024	schtasks.exe
3236	schtasks.exe
2744	schtasks.exe
1608	schtasks.exe
4272	schtasks.exe
636	schtasks.exe
3392	schtasks.exe
3272	schtasks.exe
2684	schtasks.exe
1048	schtasks.exe
1528	schtasks.exe
File created	C:\Program Files\Windows Mail\6ccacd8608530f	brokercrt.exe
3560	schtasks.exe
4084	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
1176	schtasks.exe
4804	schtasks.exe
412	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	3540	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ReviewHost\brokercrt.exe	dcrat
behavioral2/memory/4592-12-0x0000000000400000-0x00000000004D6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exeWScript.exebrokercrt.exebrokercrt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	brokercrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	brokercrt.exe

Executes dropped EXE 3 IoCs

Processes:

brokercrt.exebrokercrt.exebrokercrt.exe

pid process

4592 brokercrt.exe
4932 brokercrt.exe
3736 brokercrt.exe

Drops file in Program Files directory 20 IoCs

Processes:

brokercrt.exebrokercrt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	brokercrt.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe	brokercrt.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe	brokercrt.exe
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	brokercrt.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	brokercrt.exe
File created	C:\Program Files (x86)\Windows Sidebar\eddb19405b7ce1	brokercrt.exe
File created	C:\Program Files\Windows Mail\Idle.exe	brokercrt.exe
File created	C:\Program Files\Windows Mail\6ccacd8608530f	brokercrt.exe
File created	C:\Program Files (x86)\MSBuild\WmiPrvSE.exe	brokercrt.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\eddb19405b7ce1	brokercrt.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	brokercrt.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\5940a34987c991	brokercrt.exe
File created	C:\Program Files\Windows Portable Devices\dwm.exe	brokercrt.exe
File created	C:\Program Files (x86)\Windows Sidebar\backgroundTaskHost.exe	brokercrt.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24	brokercrt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe	brokercrt.exe
File created	C:\Program Files (x86)\MSBuild\24dbde2999530e	brokercrt.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6f6208def6ae54	brokercrt.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe	brokercrt.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	brokercrt.exe

Drops file in Windows directory 8 IoCs

Processes:

brokercrt.exebrokercrt.exe

description	ioc	process
File created	C:\Windows\SystemApps\7a0fd90576e088	brokercrt.exe
File created	C:\Windows\Cursors\lsass.exe	brokercrt.exe
File created	C:\Windows\Cursors\6203df4a6bafc7	brokercrt.exe
File created	C:\Windows\Prefetch\ReadyBoot\cmd.exe	brokercrt.exe
File created	C:\Windows\Prefetch\ReadyBoot\ebf1f9fa8afd6d	brokercrt.exe
File created	C:\Windows\DiagTrack\Settings\dllhost.exe	brokercrt.exe
File created	C:\Windows\DiagTrack\Settings\5940a34987c991	brokercrt.exe
File created	C:\Windows\SystemApps\explorer.exe	brokercrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3272	schtasks.exe
3632	schtasks.exe
1636	schtasks.exe
2192	schtasks.exe
3020	schtasks.exe
3328	schtasks.exe
3560	schtasks.exe
636	schtasks.exe
4384	schtasks.exe
4804	schtasks.exe
4056	schtasks.exe
2220	schtasks.exe
2744	schtasks.exe
3328	schtasks.exe
3200	schtasks.exe
412	schtasks.exe
3232	schtasks.exe
3736	schtasks.exe
2892	schtasks.exe
1636	schtasks.exe
1268	schtasks.exe
1528	schtasks.exe
1052	schtasks.exe
3944	schtasks.exe
3184	schtasks.exe
848	schtasks.exe
1160	schtasks.exe
2376	schtasks.exe
3236	schtasks.exe
2396	schtasks.exe
340	schtasks.exe
2684	schtasks.exe
3204	schtasks.exe
4872	schtasks.exe
4444	schtasks.exe
3220	schtasks.exe
1000	schtasks.exe
400	schtasks.exe
2704	schtasks.exe
3632	schtasks.exe
212	schtasks.exe
1528	schtasks.exe
2396	schtasks.exe
4272	schtasks.exe
3712	schtasks.exe
2024	schtasks.exe
3536	schtasks.exe
4272	schtasks.exe
3176	schtasks.exe
4928	schtasks.exe
2192	schtasks.exe
4044	schtasks.exe
1608	schtasks.exe
3292	schtasks.exe
4904	schtasks.exe
4452	schtasks.exe
3392	schtasks.exe
3232	schtasks.exe
1000	schtasks.exe
3272	schtasks.exe
4620	schtasks.exe
376	schtasks.exe
4604	schtasks.exe
1796	schtasks.exe

Modifies registry class 3 IoCs

Processes:

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exebrokercrt.exebrokercrt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	brokercrt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	brokercrt.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

brokercrt.exebrokercrt.exebrokercrt.exe

pid	process
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4592	brokercrt.exe
4932	brokercrt.exe
4932	brokercrt.exe
4932	brokercrt.exe
4932	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe
3736	brokercrt.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

brokercrt.exebrokercrt.exebrokercrt.exe

description pid process

Token: SeDebugPrivilege 4592 brokercrt.exe
Token: SeDebugPrivilege 4932 brokercrt.exe
Token: SeDebugPrivilege 3736 brokercrt.exe

description	pid	process
Token: SeDebugPrivilege	4592	brokercrt.exe
Token: SeDebugPrivilege	4932	brokercrt.exe
Token: SeDebugPrivilege	3736	brokercrt.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exeWScript.execmd.exebrokercrt.execmd.exebrokercrt.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 4692	4084	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 4084 wrote to memory of 4692	4084	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 4084 wrote to memory of 4692	4084	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 4692 wrote to memory of 1760	4692	WScript.exe	cmd.exe
PID 4692 wrote to memory of 1760	4692	WScript.exe	cmd.exe
PID 4692 wrote to memory of 1760	4692	WScript.exe	cmd.exe
PID 1760 wrote to memory of 4592	1760	cmd.exe	brokercrt.exe
PID 1760 wrote to memory of 4592	1760	cmd.exe	brokercrt.exe
PID 4592 wrote to memory of 4576	4592	brokercrt.exe	cmd.exe
PID 4592 wrote to memory of 4576	4592	brokercrt.exe	cmd.exe
PID 4576 wrote to memory of 996	4576	cmd.exe	w32tm.exe
PID 4576 wrote to memory of 996	4576	cmd.exe	w32tm.exe
PID 4576 wrote to memory of 4932	4576	cmd.exe	brokercrt.exe
PID 4576 wrote to memory of 4932	4576	cmd.exe	brokercrt.exe
PID 4932 wrote to memory of 5084	4932	brokercrt.exe	cmd.exe
PID 4932 wrote to memory of 5084	4932	brokercrt.exe	cmd.exe
PID 5084 wrote to memory of 2188	5084	cmd.exe	w32tm.exe
PID 5084 wrote to memory of 2188	5084	cmd.exe	w32tm.exe
PID 5084 wrote to memory of 3736	5084	cmd.exe	brokercrt.exe
PID 5084 wrote to memory of 3736	5084	cmd.exe	brokercrt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
"C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\ReviewHost\brokercrt.exe
"C:\ReviewHost\brokercrt.exe"
4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Pz4gQsdla.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:996

C:\ReviewHost\brokercrt.exe
"C:\ReviewHost\brokercrt.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0plRkgOoI.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\ReviewHost\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\ReviewHost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Settings\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ReviewHost\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\ReviewHost\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SystemApps\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokercrtb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokercrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "brokercrtb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\brokercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\ReviewHost\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ReviewHost\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ReviewHost\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\ReviewHost\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ReviewHost\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\ReviewHost\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\lsass.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /f
1⤵
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\unsecapp.exe'" /f
1⤵
- DcRat
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe
Filesize
216B

MD5
7b4906d1cb87de73f115581dcaf9e232

SHA1
0e02caa3ce91fc59267606430158c7d3e112b700

SHA256
9c3b3e61ce002f1d33d5228dbbf535400f16646f1d83747251ff7849c5a32495

SHA512
5f6f967a49c329a6946bbe0c2d43ad4751d9a914ddf244c1055fb0678a1982f60401dbdbde153b2027652e23eb83e2ac7d9be77a897d5023435e3aef65aabb96

Download Submit
C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat
Filesize
29B

MD5
17370288e4e03fad288831ae1f887483

SHA1
8afdd43b5b01ee9517981e8e285113e2a08305f2

SHA256
ab7fe15930980a0b150427e5a7bda9234292fa63e6358654ea2e356ddbceaf66

SHA512
00e0253a0ca8ac0e8f44b716ed4357ac4790d2809172fdc5385607a888449e03f634444ac8e8689615a0ad7ed162f6b42ec4e0b2aecea532c66575d047f22162

Download Submit
C:\ReviewHost\brokercrt.exe
Filesize
828KB

MD5
96b975481850add8ccb0353227eceb87

SHA1
f201465c8e9eef2193c0023e5593f901d0c2a7f0

SHA256
0032fb8bb3e91a8063a769e8504814f02222448c01b61e3990b35316525057c9

SHA512
27a4100a0f3b8e859436859f2ed23207ce7d4236d42881b6d79b1591816864921a00d98693a60d6c9444dbefd95c3833bc86ec0a20953f9d3b249ea7f527b6b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\brokercrt.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Pz4gQsdla.bat
Filesize
192B

MD5
807e2a8f454d8f6b92427009c3f70565

SHA1
ce23ab8ddb0c92a9be988e6aa631d85753cc2ab4

SHA256
20a5d967ed579f07995bc3706b794a868f567e315598a997cf422c0b42aec512

SHA512
2be15e6e734d444936ca45d964f3f23f3585d4fbaf40eedc29205659f40d4bf014cd9d040fb2488464f917469cee8faa5304771c89f39c80bb2ce5c06b6be7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0plRkgOoI.bat
Filesize
225B

MD5
d3263c8502e095723baf797cb83e1187

SHA1
65ebc16d22764e6835e1fcd4d86fba8aa824f760

SHA256
a86798fa0d485fd8371ca5460afb16afc57ef4086cd29e34fb6084efd515c625

SHA512
7eaa7104e0a4bfe69a957bf554c1b1cdc65c50f697c6333ade01ef4ae9c4d83887f16a6c9fc08fbdea3da2291ebbaf8aa9f64e9b98f2ebc0db7288bf771b654f

Download Submit
memory/3736-89-0x00007FFEE3260000-0x00007FFEE3D21000-memory.dmp

Filesize
10.8MB

Download
memory/3736-90-0x000000001B570000-0x000000001B580000-memory.dmp

Filesize
64KB

Download
memory/3736-91-0x00007FFEE3260000-0x00007FFEE3D21000-memory.dmp

Filesize
10.8MB

Download
memory/4592-54-0x00007FFEE34A0000-0x00007FFEE3F61000-memory.dmp

Filesize
10.8MB

Download
memory/4592-14-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/4592-13-0x00007FFEE34A0000-0x00007FFEE3F61000-memory.dmp

Filesize
10.8MB

Download
memory/4592-12-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4932-58-0x00007FFEE34A0000-0x00007FFEE3F61000-memory.dmp

Filesize
10.8MB

Download
memory/4932-60-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/4932-84-0x00007FFEE34A0000-0x00007FFEE3F61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads