dcrat | 460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3

General

Target

460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
Size

3.2MB
MD5

a7efa1a450a8e594e78db49b8e496dfb
SHA1

f4f830b132f8ee15eee245581670498c9b3bf942
SHA256

460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3
SHA512

4aa1220b16c1fa32ede5ab7fd7ab0174d0cfb8f556e3798255d9f2a6e284fc3eb5860084297c26b06f94bbe2c62f8d6853c4b39ac7fae407496417b6a4c66b21
SSDEEP

49152:Xdh7FqRrDLaRmdx3GfjfWnS3zu/zocfRKoLNdCQDGLZlEb9GxL8T:xEGRmP3w6nazu/zdfR3dCQDUZnxgT

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 23 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exehyperDll.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3740	schtasks.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	hyperDll.exe
2380	schtasks.exe
1460	schtasks.exe
4388	schtasks.exe
1264	schtasks.exe
3696	schtasks.exe
4488	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
3948	schtasks.exe
4848	schtasks.exe
3156	schtasks.exe
5084	schtasks.exe
1612	schtasks.exe
3124	schtasks.exe
3664	schtasks.exe
1232	schtasks.exe
3148	schtasks.exe
4984	schtasks.exe
3932	schtasks.exe
448	schtasks.exe
3680	schtasks.exe
668	schtasks.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1976	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1976	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2596-0-0x0000000000400000-0x0000000000730000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\kult.cr4ck sk33t.exe	dcrat
C:\PortwinRuntimesvc\hyperDll.exe	dcrat
behavioral2/memory/2900-49-0x00000000007A0000-0x0000000000912000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exekult.cr4ck sk33t.exeWScript.exehyperDll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	kult.cr4ck sk33t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	hyperDll.exe

Executes dropped EXE 3 IoCs

Processes:

kult.cr4ck sk33t.exehyperDll.execonhost.exe

pid process

4696 kult.cr4ck sk33t.exe
2900 hyperDll.exe
4444 conhost.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

180 ipinfo.io
181 ipinfo.io

pid	process
4696	kult.cr4ck sk33t.exe
2900	hyperDll.exe
4444	conhost.exe

flow	ioc
180	ipinfo.io
181	ipinfo.io

Drops file in Program Files directory 9 IoCs

Processes:

hyperDll.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\RuntimeBroker.exe	hyperDll.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	hyperDll.exe
File created	C:\Program Files\VideoLAN\backgroundTaskHost.exe	hyperDll.exe
File created	C:\Program Files (x86)\Windows NT\38384e6a620884	hyperDll.exe
File created	C:\Program Files (x86)\Windows NT\SearchApp.exe	hyperDll.exe
File created	C:\Program Files\Internet Explorer\9e8d7a4ca61bd9	hyperDll.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	hyperDll.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	hyperDll.exe
File created	C:\Program Files\VideoLAN\eddb19405b7ce1	hyperDll.exe

Drops file in Windows directory 4 IoCs

Processes:

hyperDll.exe

description	ioc	process
File created	C:\Windows\Panther\setup.exe\upfc.exe	hyperDll.exe
File created	C:\Windows\Panther\setup.exe\ea1d8f6d871115	hyperDll.exe
File created	C:\Windows\Cursors\conhost.exe	hyperDll.exe
File created	C:\Windows\Cursors\088424020bedd6	hyperDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3148	schtasks.exe
4984	schtasks.exe
3932	schtasks.exe
448	schtasks.exe
1612	schtasks.exe
4848	schtasks.exe
1232	schtasks.exe
2380	schtasks.exe
3124	schtasks.exe
3740	schtasks.exe
5084	schtasks.exe
1460	schtasks.exe
668	schtasks.exe
4488	schtasks.exe
3696	schtasks.exe
4388	schtasks.exe
3948	schtasks.exe
3680	schtasks.exe
3156	schtasks.exe
3664	schtasks.exe
1264	schtasks.exe

Modifies registry class 4 IoCs

Processes:

460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exekult.cr4ck sk33t.exehyperDll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	kult.cr4ck sk33t.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	hyperDll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hyperDll.execonhost.exe

pid	process
2900	hyperDll.exe
2900	hyperDll.exe
2900	hyperDll.exe
2900	hyperDll.exe
2900	hyperDll.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe
4444	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hyperDll.execonhost.exe

description pid process

Token: SeDebugPrivilege 2900 hyperDll.exe
Token: SeDebugPrivilege 4444 conhost.exe

description	pid	process
Token: SeDebugPrivilege	2900	hyperDll.exe
Token: SeDebugPrivilege	4444	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exekult.cr4ck sk33t.exeWScript.execmd.exehyperDll.execmd.exe

description	pid	process	target process
PID 2596 wrote to memory of 4992	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 4992	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 4992	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 4696	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	kult.cr4ck sk33t.exe
PID 2596 wrote to memory of 4696	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	kult.cr4ck sk33t.exe
PID 2596 wrote to memory of 4696	2596	460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe	kult.cr4ck sk33t.exe
PID 4696 wrote to memory of 244	4696	kult.cr4ck sk33t.exe	WScript.exe
PID 4696 wrote to memory of 244	4696	kult.cr4ck sk33t.exe	WScript.exe
PID 4696 wrote to memory of 244	4696	kult.cr4ck sk33t.exe	WScript.exe
PID 244 wrote to memory of 1980	244	WScript.exe	cmd.exe
PID 244 wrote to memory of 1980	244	WScript.exe	cmd.exe
PID 244 wrote to memory of 1980	244	WScript.exe	cmd.exe
PID 1980 wrote to memory of 2900	1980	cmd.exe	hyperDll.exe
PID 1980 wrote to memory of 2900	1980	cmd.exe	hyperDll.exe
PID 2900 wrote to memory of 4760	2900	hyperDll.exe	cmd.exe
PID 2900 wrote to memory of 4760	2900	hyperDll.exe	cmd.exe
PID 4760 wrote to memory of 2100	4760	cmd.exe	w32tm.exe
PID 4760 wrote to memory of 2100	4760	cmd.exe	w32tm.exe
PID 4760 wrote to memory of 4444	4760	cmd.exe	conhost.exe
PID 4760 wrote to memory of 4444	4760	cmd.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe
"C:\Users\Admin\AppData\Local\Temp\460e3932c1f76c83aeb5f294a84c5a2343d05bf40afadd3edae8c561f26f9ab3.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\owned by.txt
2⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\kult.cr4ck sk33t.exe
"C:\Users\Admin\AppData\Local\Temp\kult.cr4ck sk33t.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortwinRuntimesvc\ffRLAmtayM99Gv0oiiSapaf.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PortwinRuntimesvc\ZNieXjB2f.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\PortwinRuntimesvc\hyperDll.exe
"C:\PortwinRuntimesvc\hyperDll.exe"
5⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2100

C:\Windows\Cursors\conhost.exe
"C:\Windows\Cursors\conhost.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortwinRuntimesvc\ZNieXjB2f.bat
Filesize
35B

MD5
1d3e0f5d079dc3e9b8e88850b43f060c

SHA1
f3f57445d8451b9d51c30982ec8e82187a1c2b33

SHA256
0f5c9758ab11b5bd09a90a5de0ab3b7b508d0f74df0ca26eafd03a7e9558fc33

SHA512
dacb2edc783cc21d036c15b23ce8f146b4acae8bc7b492ef31c51fbc5862aaac07579578be8c8b19b6a994b8223581f2f412c716f36da1d3efd9b9b75b1347c4

Download Submit
C:\PortwinRuntimesvc\ffRLAmtayM99Gv0oiiSapaf.vbe
Filesize
204B

MD5
9e44e136b50c53d735cdded477de329c

SHA1
6269e1ee78b92caa23c7ee5995c2ff629f78efee

SHA256
fc6ec48c2e8b1ed78619c5a5ce3a1c4565dec213c276e66b3d128de198223a62

SHA512
eadd28e51cff6281a26bf8664785622033c07486463a1ce0f21e82f081f2973b9430d2e50a9b4039b68a64d6ae1f5864ed012763badbd1a4bd4f2e196e8908f2

Download Submit
C:\PortwinRuntimesvc\hyperDll.exe
Filesize
1.4MB

MD5
ba5d55c5e9d38438c897e429cd02232c

SHA1
5913bbe96e7fbe091d1811180fa2d3c655eb9f7d

SHA256
f337253a8e7264e3f70ef5680dd7d956ae2fc8d985e36d24e2e45edcd8d3bd00

SHA512
8fe7b9e829ce6ae4597626ea4c37534d5ec089829f16b48af98ae781381d6b6f16a676a9c7287a421371cdd419a77376774aa953da2c2436e257e9c1548ecd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\kult.cr4ck sk33t.exe
Filesize
1.9MB

MD5
d4f80bee8c6303f318610068eb5e005a

SHA1
381312836f5f97f38f2054bab32ede45edb0ab46

SHA256
3b2fc67b69aaa534440bf2de8e1a93fc119732ac8e70f88b8a14cf76043dea54

SHA512
bcb25f1ce098a2f85e921b95202651f4fcf9381188f527bc8ba1f5533b5ddd2d886664b810421a487cf3763522b3d38eea640f4a0f70c519257d1252a03c473f

Download Submit
C:\Users\Admin\AppData\Local\Temp\owned by.txt
Filesize
28B

MD5
912764e00ce9efa72ce05eb892a8aa69

SHA1
45af8a3254ff8c514d1295c2f87d60e95e528022

SHA256
c18a047765a5a9ec5a04104d6bc83926c675cb187cdf1f4e6a0e111ad5f991e7

SHA512
a071e813a9b7b74cc0ffc42e67eaf4797d19c6d1bc3e18d6ea0b454fb8a87927501e0f68bf18aed91bc276812f47f220d621fb4bf8d85b56026689b371d7b505

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat
Filesize
195B

MD5
50cad052afbd017ec70059626e465871

SHA1
49b515a210395627183e178fda9c54d098ecc31c

SHA256
9f766e9675aa62ed93841e68ab1ebbe2d8039437e46f0ed0ee83eeecfcdf0290

SHA512
d60318994fee5c643897fabd890a853e8aab5190dcf153ed795c05dfa589d5a0f5985ceb64639c1bf30ea7c516bd289d8ae15ab66aa8085011380b0a8ee4785c

Download Submit
memory/2596-0-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/2900-55-0x000000001B470000-0x000000001B480000-memory.dmp

Filesize
64KB

Download
memory/2900-60-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

Filesize
48KB

Download
memory/2900-52-0x0000000002A40000-0x0000000002A5C000-memory.dmp

Filesize
112KB

Download
memory/2900-53-0x000000001B4C0000-0x000000001B510000-memory.dmp

Filesize
320KB

Download
memory/2900-54-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2900-50-0x00007FFAB4AB0000-0x00007FFAB5571000-memory.dmp

Filesize
10.8MB

Download
memory/2900-56-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/2900-57-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2900-58-0x000000001C280000-0x000000001C7A8000-memory.dmp

Filesize
5.2MB

Download
memory/2900-51-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/2900-59-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/2900-61-0x000000001BE90000-0x000000001BE9E000-memory.dmp

Filesize
56KB

Download
memory/2900-62-0x000000001B510000-0x000000001B51A000-memory.dmp

Filesize
40KB

Download
memory/2900-63-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/2900-83-0x00007FFAB4AB0000-0x00007FFAB5571000-memory.dmp

Filesize
10.8MB

Download
memory/2900-49-0x00000000007A0000-0x0000000000912000-memory.dmp

Filesize
1.4MB

Download
memory/4444-88-0x00007FFAB48C0000-0x00007FFAB5381000-memory.dmp

Filesize
10.8MB

Download
memory/4444-89-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/4444-90-0x00007FFAB48C0000-0x00007FFAB5381000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads