dcrat | c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644

General

Target

a452777147dc02f5d8ccacfc0502ac7c.exe
Size

828KB
MD5

a452777147dc02f5d8ccacfc0502ac7c
SHA1

da8810335c641f55872b90a6ea7f178a0875721c
SHA256

c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644
SHA512

5015d12dac1a4a6825dcd01adf04b9ea307b3654e851bf07e41087f4ebb1b744b67c397eb0af282b3452cae5849266c7e00c2e41537795d7c78e5c043012d760
SSDEEP

12288:jJx18sm9InH/pOz0KkYXPFSdj+ZygwBEMjdvcGtJN1adr:jBDmqnH/G0KkYXKcedvceN1ar

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exea452777147dc02f5d8ccacfc0502ac7c.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2752	schtasks.exe
1656	schtasks.exe
820	schtasks.exe
900	schtasks.exe
2812	schtasks.exe
1980	schtasks.exe
2000	schtasks.exe
2464	schtasks.exe
2860	schtasks.exe
2632	schtasks.exe
2524	schtasks.exe
2128	schtasks.exe
1620	schtasks.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	a452777147dc02f5d8ccacfc0502ac7c.exe
2484	schtasks.exe
2300	schtasks.exe
1940	schtasks.exe
2312	schtasks.exe
264	schtasks.exe
780	schtasks.exe
2864	schtasks.exe
2600	schtasks.exe
2540	schtasks.exe
2792	schtasks.exe
1952	schtasks.exe
2120	schtasks.exe
1936	schtasks.exe
860	schtasks.exe
640	schtasks.exe
2228	schtasks.exe
2212	schtasks.exe
2724	schtasks.exe
File created	C:\Program Files\Windows Defender\smss.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
2940	schtasks.exe
2808	schtasks.exe
2820	schtasks.exe
1424	schtasks.exe
2620	schtasks.exe
2604	schtasks.exe
1816	schtasks.exe
2424	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

a452777147dc02f5d8ccacfc0502ac7c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\System.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\", \"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2612	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000D10000-0x0000000000DE6000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe	dcrat
behavioral1/memory/1616-36-0x0000000000170000-0x0000000000246000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1616 csrss.exe

pid	process
1616	csrss.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a452777147dc02f5d8ccacfc0502ac7c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\inf\\ASP.NET\\0006\\explorer.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\audiodg.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Temp\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\csrss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dwm.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\smss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Defender\\smss.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Users\\All Users\\Start Menu\\a452777147dc02f5d8ccacfc0502ac7c.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\Temp\\System.exe\""	a452777147dc02f5d8ccacfc0502ac7c.exe

Drops file in Program Files directory 11 IoCs

Processes:

a452777147dc02f5d8ccacfc0502ac7c.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\886983d96e3d3e	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files\Windows Defender\smss.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File opened for modification	C:\Program Files\Windows Defender\smss.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Program Files (x86)\Google\Temp\System.exe	a452777147dc02f5d8ccacfc0502ac7c.exe

Drops file in Windows directory 3 IoCs

Processes:

a452777147dc02f5d8ccacfc0502ac7c.exe

description	ioc	process
File created	C:\Windows\inf\ASP.NET\0006\7a0fd90576e088	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Windows\rescache\rc0004\services.exe	a452777147dc02f5d8ccacfc0502ac7c.exe
File created	C:\Windows\inf\ASP.NET\0006\explorer.exe	a452777147dc02f5d8ccacfc0502ac7c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2464	schtasks.exe
2524	schtasks.exe
1656	schtasks.exe
2128	schtasks.exe
2792	schtasks.exe
1816	schtasks.exe
2120	schtasks.exe
2228	schtasks.exe
780	schtasks.exe
1424	schtasks.exe
820	schtasks.exe
1980	schtasks.exe
2808	schtasks.exe
860	schtasks.exe
2424	schtasks.exe
2632	schtasks.exe
2620	schtasks.exe
2940	schtasks.exe
1952	schtasks.exe
2812	schtasks.exe
2312	schtasks.exe
2540	schtasks.exe
1940	schtasks.exe
2820	schtasks.exe
2000	schtasks.exe
2860	schtasks.exe
2752	schtasks.exe
1620	schtasks.exe
900	schtasks.exe
264	schtasks.exe
640	schtasks.exe
2600	schtasks.exe
2484	schtasks.exe
2212	schtasks.exe
2864	schtasks.exe
1936	schtasks.exe
2724	schtasks.exe
2604	schtasks.exe
2300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a452777147dc02f5d8ccacfc0502ac7c.execsrss.exe

pid	process
2084	a452777147dc02f5d8ccacfc0502ac7c.exe
2084	a452777147dc02f5d8ccacfc0502ac7c.exe
2084	a452777147dc02f5d8ccacfc0502ac7c.exe
2084	a452777147dc02f5d8ccacfc0502ac7c.exe
2084	a452777147dc02f5d8ccacfc0502ac7c.exe
1616	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a452777147dc02f5d8ccacfc0502ac7c.execsrss.exe

description pid process

Token: SeDebugPrivilege 2084 a452777147dc02f5d8ccacfc0502ac7c.exe
Token: SeDebugPrivilege 1616 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2084	a452777147dc02f5d8ccacfc0502ac7c.exe
Token: SeDebugPrivilege	1616	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a452777147dc02f5d8ccacfc0502ac7c.exe

description	pid	process	target process
PID 2084 wrote to memory of 1616	2084	a452777147dc02f5d8ccacfc0502ac7c.exe	csrss.exe
PID 2084 wrote to memory of 1616	2084	a452777147dc02f5d8ccacfc0502ac7c.exe	csrss.exe
PID 2084 wrote to memory of 1616	2084	a452777147dc02f5d8ccacfc0502ac7c.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe
"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
  "C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\ASP.NET\0006\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0006\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\ASP.NET\0006\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\a452777147dc02f5d8ccacfc0502ac7c.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7c" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\a452777147dc02f5d8ccacfc0502ac7c.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7c" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
828KB

MD5
a452777147dc02f5d8ccacfc0502ac7c

SHA1
da8810335c641f55872b90a6ea7f178a0875721c

SHA256
c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644

SHA512
5015d12dac1a4a6825dcd01adf04b9ea307b3654e851bf07e41087f4ebb1b744b67c397eb0af282b3452cae5849266c7e00c2e41537795d7c78e5c043012d760

Download Submit
memory/1616-36-0x0000000000170000-0x0000000000246000-memory.dmp

Filesize
856KB

Download
memory/2084-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000000D10000-0x0000000000DE6000-memory.dmp

Filesize
856KB

Download
memory/2084-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-35-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads