dcrat | 13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc

General

Target

13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe
Size

1.6MB
MD5

a0fc62e3b7ee3716781698677ef0a315
SHA1

679ee9e6c503af58943768fac7801a0c85149728
SHA256

13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc
SHA512

6d5f5cde273aebea5e97561c94e3a068e3b966dc0d8455d90f0bedcefbe2cd888457c60f639e77cdd3e6bd2b79b45fe1467f6eded81ddaf92ff6fde1bd2ba30b
SSDEEP

49152:BI3GKRB71HIfHaM+j4av2JIZF9YvOaXdFi:qPRB5HISGauJIn95eo

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	4088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4088	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wininit.exeComContainer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe	dcrat
behavioral2/memory/3020-25-0x0000000000880000-0x0000000000A4E000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3020-31-0x000000001B6B0000-0x000000001B6BA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3020-37-0x000000001BF30000-0x000000001BF3C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3020-40-0x000000001BF60000-0x000000001BF6A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exeDCRatBuild.exeWScript.exeComContainer.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ComContainer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 3 IoCs

Processes:

DCRatBuild.exeComContainer.exewininit.exe

pid process

1776 DCRatBuild.exe
3020 ComContainer.exe
4452 wininit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1776	DCRatBuild.exe
3020	ComContainer.exe
4452	wininit.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wininit.exeComContainer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComContainer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in Program Files directory 6 IoCs

Processes:

ComContainer.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe	ComContainer.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe	ComContainer.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\56085415360792	ComContainer.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\dwm.exe	ComContainer.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\6cb0b6c459d5d3	ComContainer.exe
File created	C:\Program Files\ModifiableWindowsApps\sihost.exe	ComContainer.exe

Drops file in Windows directory 10 IoCs

Processes:

ComContainer.exe

description	ioc	process
File created	C:\Windows\AppReadiness\SppExtComObj.exe	ComContainer.exe
File created	C:\Windows\AppReadiness\e1ef82546f0b02	ComContainer.exe
File created	C:\Windows\Globalization\ICU\5b884080fd4f94	ComContainer.exe
File created	C:\Windows\tracing\OfficeClickToRun.exe	ComContainer.exe
File created	C:\Windows\tracing\e6c9b481da804f	ComContainer.exe
File created	C:\Windows\Setup\SppExtComObj.exe	ComContainer.exe
File created	C:\Windows\Setup\e1ef82546f0b02	ComContainer.exe
File created	C:\Windows\Globalization\ICU\fontdrvhost.exe	ComContainer.exe
File created	C:\Windows\Migration\WTR\System.exe	ComContainer.exe
File created	C:\Windows\Migration\WTR\27d1bcfc3c54e0	ComContainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3892	schtasks.exe
1328	schtasks.exe
3680	schtasks.exe
4344	schtasks.exe
3968	schtasks.exe
2744	schtasks.exe
4628	schtasks.exe
3676	schtasks.exe
460	schtasks.exe
3768	schtasks.exe
2028	schtasks.exe
4636	schtasks.exe
2748	schtasks.exe
1424	schtasks.exe
4200	schtasks.exe
1200	schtasks.exe
3612	schtasks.exe
2508	schtasks.exe
4212	schtasks.exe
1012	schtasks.exe
924	schtasks.exe
2592	schtasks.exe
64	schtasks.exe
2420	schtasks.exe
3644	schtasks.exe
3540	schtasks.exe
3280	schtasks.exe

Modifies registry class 2 IoCs

Processes:

DCRatBuild.exewininit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

ComContainer.exewininit.exe

pid	process
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
3020	ComContainer.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe
4452	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wininit.exe

pid process

4452 wininit.exe

pid	process
4452	wininit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ComContainer.exewininit.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3020	ComContainer.exe
Token: SeDebugPrivilege	4452	wininit.exe
Token: SeBackupPrivilege	4092	vssvc.exe
Token: SeRestorePrivilege	4092	vssvc.exe
Token: SeAuditPrivilege	4092	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exeDCRatBuild.exeWScript.execmd.exeComContainer.exewininit.exe

description	pid	process	target process
PID 3540 wrote to memory of 1776	3540	13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe	DCRatBuild.exe
PID 3540 wrote to memory of 1776	3540	13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe	DCRatBuild.exe
PID 3540 wrote to memory of 1776	3540	13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe	DCRatBuild.exe
PID 1776 wrote to memory of 1864	1776	DCRatBuild.exe	WScript.exe
PID 1776 wrote to memory of 1864	1776	DCRatBuild.exe	WScript.exe
PID 1776 wrote to memory of 1864	1776	DCRatBuild.exe	WScript.exe
PID 1864 wrote to memory of 2680	1864	WScript.exe	cmd.exe
PID 1864 wrote to memory of 2680	1864	WScript.exe	cmd.exe
PID 1864 wrote to memory of 2680	1864	WScript.exe	cmd.exe
PID 2680 wrote to memory of 3020	2680	cmd.exe	ComContainer.exe
PID 2680 wrote to memory of 3020	2680	cmd.exe	ComContainer.exe
PID 3020 wrote to memory of 4452	3020	ComContainer.exe	wininit.exe
PID 3020 wrote to memory of 4452	3020	ComContainer.exe	wininit.exe
PID 4452 wrote to memory of 1992	4452	wininit.exe	WScript.exe
PID 4452 wrote to memory of 1992	4452	wininit.exe	WScript.exe
PID 4452 wrote to memory of 2532	4452	wininit.exe	WScript.exe
PID 4452 wrote to memory of 2532	4452	wininit.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

ComContainer.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ComContainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe
"C:\Users\Admin\AppData\Local\Temp\13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
"C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020

C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af6a99c3-65be-443f-94a2-259974fe0559.vbs"
7⤵
PID:1992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1240ba21-0012-42fa-901f-9e60e5ff73b5.vbs"
7⤵
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\ICU\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\ICU\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1240ba21-0012-42fa-901f-9e60e5ff73b5.vbs
Filesize
511B

MD5
e9e89945f016947b385b5c02251bb4b9

SHA1
2e1f2b11bee983a60009163c1f20884d2ce0565a

SHA256
2508cf47c73702593baf8d4e4b7f33d039c5e193f1eccbddb56bd558b042fac7

SHA512
1224abbde6989196eca411413dd3fc45407224c28a8a10b794e7de7b506e38d51bd52ecda8cc3d9e8fadb1d50fb288d9408495646e085c690bc1e42203c7fc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
Filesize
2.1MB

MD5
84c02f6e1108d21bc6d871d4f0e67dd1

SHA1
fc46781b941cb8b9493d1f89a835e60eebad1fe1

SHA256
0b3af1714c58b112a179b1efe5d9b381cba0c06450860ae8134b386fe2fe5e8f

SHA512
c4ca21b5b571eaaa58f63134337b2d01f9aba2dd1684a5ca2e57c8df34cf266b846fddc21f2b567cec3c714d08d47103059cb848a1a5e9efcaf6b3efde069510

Download Submit
C:\Users\Admin\AppData\Local\Temp\af6a99c3-65be-443f-94a2-259974fe0559.vbs
Filesize
735B

MD5
96bce64f11626779ad4354b95f7567ee

SHA1
9776e368df24835a8113f70235b74f6266ec09fe

SHA256
153bfffdf268af8fd866df3ca4cd01658b7ea70427912926cf445eced9ab0681

SHA512
b52e1be2f1dabdb5be62bf6272c2f48e11b034a3d132b45af0319a01b67e13704a06b208f541592d80e8d69d7fb95b643c476fef2f2ee6866f3a53d6cbbe6bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
Filesize
1.8MB

MD5
d4d11ed815db57efe9580e29900df34e

SHA1
14b275d8df38bad245b92c1980a1e0eb6491dbce

SHA256
fb41a0fd339ab301f2f33eb97a562af1876e394493fe9f114fa6ff5f9f7d82b8

SHA512
375d489af26b7c48e8d73f31e2105bab5f84e80e7f8c32813a6ca574583c3ace0dfc23720964fc10000b3eeda70ab34ca692b22c9c696fc046c6509f38f8263b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat
Filesize
52B

MD5
b56593dfa47cd5d585cf8f8d88c11b05

SHA1
c70b8eec01fe9102c2e7cd3605dab47756f9643e

SHA256
bae7494aa08a5d634830c205febb819b546b1633d2d2c74be6b78eee19c5514c

SHA512
402da79f69e08391217210a273eb735036760ebfd5115537c8965128e11640071ba76438d7d236b6c93db697e90f9a994a2fcc29fed02edcb7ef6195a703c7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe
Filesize
229B

MD5
8f6a53617f67becfab8753b32ce07e70

SHA1
111bfba12a529a29baf5c80300dd5f4432be5c20

SHA256
146e2cc8c7a342377dde4a2d323fba53afa9833e66539de23d120f414c4ffd4e

SHA512
e40ee02738f686db97275ab9c87c2b96081d7395c3fe6365ee19c3348dd3f09ee3d423ad686af4e2f9214a0e1e3078bd4e7e4c2030ea87545b2b57cc60f531dc

Download Submit
memory/3020-31-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/3020-34-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/3020-25-0x0000000000880000-0x0000000000A4E000-memory.dmp

Filesize
1.8MB

Download
memory/3020-26-0x0000000002BD0000-0x0000000002BDE000-memory.dmp

Filesize
56KB

Download
memory/3020-27-0x000000001B670000-0x000000001B68C000-memory.dmp

Filesize
112KB

Download
memory/3020-28-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/3020-29-0x000000001B690000-0x000000001B6A6000-memory.dmp

Filesize
88KB

Download
memory/3020-30-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/3020-38-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/3020-32-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

Filesize
48KB

Download
memory/3020-33-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

Filesize
32KB

Download
memory/3020-39-0x000000001BF50000-0x000000001BF5C000-memory.dmp

Filesize
48KB

Download
memory/3020-35-0x000000001BD00000-0x000000001BD12000-memory.dmp

Filesize
72KB

Download
memory/3020-36-0x000000001C460000-0x000000001C988000-memory.dmp

Filesize
5.2MB

Download
memory/3020-37-0x000000001BF30000-0x000000001BF3C000-memory.dmp

Filesize
48KB

Download
memory/3020-43-0x000000001BF90000-0x000000001BF9E000-memory.dmp

Filesize
56KB

Download
memory/3020-42-0x000000001BF80000-0x000000001BF88000-memory.dmp

Filesize
32KB

Download
memory/3020-41-0x000000001BF70000-0x000000001BF7E000-memory.dmp

Filesize
56KB

Download
memory/3020-40-0x000000001BF60000-0x000000001BF6A000-memory.dmp

Filesize
40KB

Download
memory/3540-11-0x00007FFAF23C0000-0x00007FFAF2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3540-0-0x00007FFAF23C3000-0x00007FFAF23C5000-memory.dmp

Filesize
8KB

Download
memory/3540-7-0x00007FFAF23C0000-0x00007FFAF2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3540-1-0x0000000000750000-0x00000000008E6000-memory.dmp

Filesize
1.6MB

Download
memory/4452-83-0x000000001DD20000-0x000000001DEE2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads