Analysis
-
max time kernel
361s -
max time network
363s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 16:50
Static task
static1
Behavioral task
behavioral1
Sample
Desktop.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Desktop.exe
Resource
win10v2004-20240226-en
General
-
Target
Desktop.exe
-
Size
2.9MB
-
MD5
870bc89aac12414fb0b2283d58a57ce9
-
SHA1
2e3a4127668b6ae2db7566853a089f885911fd3c
-
SHA256
1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2
-
SHA512
88d064936ae963939c1767663dd5a0807eee1c5e3c0cea48dec48be743b20fd1cdad298e708134683d3a3b2785146637d5206eb014a10be0724eeb0404e8a7c7
-
SSDEEP
49152:xvY3ShUkwbb96kTTEGjFZ01vkfDpf5YVNFbHKpRvv1BRHoMJKxRFwLfe:xw3MUkinXfjFZKvkf95YtjOVo2wRFZ
Malware Config
Signatures
-
DcRat 32 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSessioncrt.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeRTC_Launcher11.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1084 schtasks.exe 1240 schtasks.exe 1672 schtasks.exe 1052 schtasks.exe 1480 schtasks.exe 2956 schtasks.exe 352 schtasks.exe 408 schtasks.exe 1328 schtasks.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6 Sessioncrt.exe 2296 schtasks.exe 1656 schtasks.exe 2364 schtasks.exe 348 schtasks.exe 1696 schtasks.exe 1728 schtasks.exe 2000 schtasks.exe 1624 schtasks.exe File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT RTC_Launcher11.exe 1860 schtasks.exe 2628 schtasks.exe 1596 schtasks.exe 676 schtasks.exe 1988 schtasks.exe 1768 schtasks.exe 2484 schtasks.exe 2596 schtasks.exe 2912 schtasks.exe 608 schtasks.exe 1544 schtasks.exe 1580 schtasks.exe 2844 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 21 IoCs
Processes:
Sessioncrt.exeaudiodg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" audiodg.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1628 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2360 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2360 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\DCRatBuild_protected.exe dcrat C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe dcrat behavioral1/memory/2080-61-0x0000000001150000-0x000000000127C000-memory.dmp dcrat behavioral1/memory/568-92-0x0000000000E10000-0x0000000000F3C000-memory.dmp dcrat -
Executes dropped EXE 5 IoCs
Processes:
DCRatBuild_protected.sfx.exeRTC_Launcher11.exeDCRatBuild_protected.exeSessioncrt.exeaudiodg.exepid process 1732 DCRatBuild_protected.sfx.exe 2784 RTC_Launcher11.exe 2260 DCRatBuild_protected.exe 2080 Sessioncrt.exe 568 audiodg.exe -
Loads dropped DLL 12 IoCs
Processes:
Desktop.exeDCRatBuild_protected.sfx.execmd.exepid process 1740 Desktop.exe 1740 Desktop.exe 1740 Desktop.exe 1740 Desktop.exe 1740 Desktop.exe 1740 Desktop.exe 1740 Desktop.exe 1732 DCRatBuild_protected.sfx.exe 1732 DCRatBuild_protected.sfx.exe 1732 DCRatBuild_protected.sfx.exe 3036 cmd.exe 3036 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
Sessioncrt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Desktop\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Desktop\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" Sessioncrt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DCRatBuild_protected.exepid process 2260 DCRatBuild_protected.exe -
Drops file in Program Files directory 11 IoCs
Processes:
Sessioncrt.exedescription ioc process File created C:\Program Files (x86)\Common Files\f3b6ecef712a24 Sessioncrt.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe Sessioncrt.exe File created C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe Sessioncrt.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe Sessioncrt.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe Sessioncrt.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792 Sessioncrt.exe File created C:\Program Files\Windows NT\TableTextService\sppsvc.exe Sessioncrt.exe File created C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16 Sessioncrt.exe File created C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64 Sessioncrt.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6 Sessioncrt.exe File created C:\Program Files (x86)\Common Files\spoolsv.exe Sessioncrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2000 schtasks.exe 2912 schtasks.exe 1672 schtasks.exe 2844 schtasks.exe 1696 schtasks.exe 676 schtasks.exe 1768 schtasks.exe 2484 schtasks.exe 2364 schtasks.exe 348 schtasks.exe 2956 schtasks.exe 1860 schtasks.exe 1240 schtasks.exe 2296 schtasks.exe 1544 schtasks.exe 1328 schtasks.exe 2596 schtasks.exe 608 schtasks.exe 1596 schtasks.exe 1052 schtasks.exe 408 schtasks.exe 1084 schtasks.exe 352 schtasks.exe 1988 schtasks.exe 1580 schtasks.exe 1624 schtasks.exe 1728 schtasks.exe 1480 schtasks.exe 2628 schtasks.exe 1656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Sessioncrt.exeaudiodg.exepid process 2080 Sessioncrt.exe 2080 Sessioncrt.exe 2080 Sessioncrt.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe 568 audiodg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
audiodg.exepid process 568 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RTC_Launcher11.exeSessioncrt.exeaudiodg.exedescription pid process Token: SeDebugPrivilege 2784 RTC_Launcher11.exe Token: SeDebugPrivilege 2080 Sessioncrt.exe Token: SeDebugPrivilege 568 audiodg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DCRatBuild_protected.exepid process 2260 DCRatBuild_protected.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Desktop.exeDCRatBuild_protected.sfx.exeDCRatBuild_protected.exeWScript.execmd.exeSessioncrt.exeaudiodg.execmd.exedescription pid process target process PID 1740 wrote to memory of 1732 1740 Desktop.exe DCRatBuild_protected.sfx.exe PID 1740 wrote to memory of 1732 1740 Desktop.exe DCRatBuild_protected.sfx.exe PID 1740 wrote to memory of 1732 1740 Desktop.exe DCRatBuild_protected.sfx.exe PID 1740 wrote to memory of 1732 1740 Desktop.exe DCRatBuild_protected.sfx.exe PID 1740 wrote to memory of 2784 1740 Desktop.exe RTC_Launcher11.exe PID 1740 wrote to memory of 2784 1740 Desktop.exe RTC_Launcher11.exe PID 1740 wrote to memory of 2784 1740 Desktop.exe RTC_Launcher11.exe PID 1740 wrote to memory of 2784 1740 Desktop.exe RTC_Launcher11.exe PID 1732 wrote to memory of 2260 1732 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 1732 wrote to memory of 2260 1732 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 1732 wrote to memory of 2260 1732 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 1732 wrote to memory of 2260 1732 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 2260 wrote to memory of 2600 2260 DCRatBuild_protected.exe WScript.exe PID 2260 wrote to memory of 2600 2260 DCRatBuild_protected.exe WScript.exe PID 2260 wrote to memory of 2600 2260 DCRatBuild_protected.exe WScript.exe PID 2260 wrote to memory of 2600 2260 DCRatBuild_protected.exe WScript.exe PID 2600 wrote to memory of 3036 2600 WScript.exe cmd.exe PID 2600 wrote to memory of 3036 2600 WScript.exe cmd.exe PID 2600 wrote to memory of 3036 2600 WScript.exe cmd.exe PID 2600 wrote to memory of 3036 2600 WScript.exe cmd.exe PID 3036 wrote to memory of 2080 3036 cmd.exe Sessioncrt.exe PID 3036 wrote to memory of 2080 3036 cmd.exe Sessioncrt.exe PID 3036 wrote to memory of 2080 3036 cmd.exe Sessioncrt.exe PID 3036 wrote to memory of 2080 3036 cmd.exe Sessioncrt.exe PID 2080 wrote to memory of 568 2080 Sessioncrt.exe audiodg.exe PID 2080 wrote to memory of 568 2080 Sessioncrt.exe audiodg.exe PID 2080 wrote to memory of 568 2080 Sessioncrt.exe audiodg.exe PID 568 wrote to memory of 580 568 audiodg.exe cmd.exe PID 568 wrote to memory of 580 568 audiodg.exe cmd.exe PID 568 wrote to memory of 580 568 audiodg.exe cmd.exe PID 580 wrote to memory of 1424 580 cmd.exe w32tm.exe PID 580 wrote to memory of 1424 580 cmd.exe w32tm.exe PID 580 wrote to memory of 1424 580 cmd.exe w32tm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exe"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"6⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe"C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1424
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"2⤵
- DcRat
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "Sessioncrt" /f1⤵
- Process spawned unexpected child process
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "SessioncrtS" /f1⤵
- Process spawned unexpected child process
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhost" /f1⤵
- Process spawned unexpected child process
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "conhostc" /f1⤵
- Process spawned unexpected child process
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsv" /f1⤵
- Process spawned unexpected child process
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "spoolsvs" /f1⤵
- Process spawned unexpected child process
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "audiodg" /f1⤵
- Process spawned unexpected child process
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "audiodga" /f1⤵
- Process spawned unexpected child process
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininit" /f1⤵
- Process spawned unexpected child process
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininitw" /f1⤵
- Process spawned unexpected child process
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininit" /f1⤵
- Process spawned unexpected child process
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininitw" /f1⤵
- Process spawned unexpected child process
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sppsvc" /f1⤵
- Process spawned unexpected child process
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sppsvcs" /f1⤵
- Process spawned unexpected child process
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininit" /f1⤵
- Process spawned unexpected child process
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "wininitw" /f1⤵
- Process spawned unexpected child process
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "services" /f1⤵
- Process spawned unexpected child process
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "servicess" /f1⤵
- Process spawned unexpected child process
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sppsvc" /f1⤵
- Process spawned unexpected child process
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sppsvcs" /f1⤵
- Process spawned unexpected child process
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "taskhost" /f1⤵
- Process spawned unexpected child process
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "taskhostt" /f1⤵
- Process spawned unexpected child process
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "audiodg" /f1⤵
- Process spawned unexpected child process
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "audiodga" /f1⤵
- Process spawned unexpected child process
PID:2940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\f3b6ecef712a24Filesize
421B
MD5099e8ce823363ebce6b7bd4acb2befc7
SHA1cfe7f0047b95245023fd0a5cd9afb5ade63c462c
SHA2569466deb4d83ce9dff323610e8db7e4a73a4d980454048563a13e4f0d8f0353eb
SHA512d2bf47989ec0638953eb2103adf7fb42d44aba674e80d27339b8cf1866402a851f9f256e3809be4c3a6b9916256dd050c256cd30a5319924560994c074ad3238
-
C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64Filesize
468B
MD5f099c4d2faac9f25cf1522b17c3c5fda
SHA12cca2d8fa69ec30bb34f559bdf23f980f348c271
SHA256b158dbccd0423f1e3073c56dd745a24b4afa4cfa042268c426a7c8fe513fe769
SHA512503c3917133ebe524bfc3735941de36015b14047df7a5246f4933cc8eaccf58fd9b5b2942d76a0bd463531ba4089da948aad3e992ca4428f406271c64ad9fce4
-
C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6Filesize
231B
MD5cb777c2b8322436f935989c6eeaed36e
SHA1cd7b67453396ceda1eb97813bed0871b84df14df
SHA256a050f5cf3292f687fccfac402ac577441ccd46ae4343f6af46859ac092fdf2c1
SHA512066bd5a7d60b134cab5ba33a2570fd25b58e52d72fd2dbf6e299c581581c4da108563c94894b9401a50933a4cf403cd0f95e6a8439439de62fd77ac2e555a5cf
-
C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16Filesize
881B
MD572214c1409291a2c57332d926a5e11a7
SHA1c3fca473f36724efc1cb5d424b363bd5e7914b92
SHA2565e0d618f657392b7cbc8be0ca226623e41591eebead4d89f8ef414acd6239439
SHA51207846048d895064749a296799773eb0083395264a759bed45cf48979323437b0e43caca853de810957fe06e4b46195487f0f22a835c9d0b0b3ad1d986e9c8611
-
C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792Filesize
323B
MD5692c193cd6b8ae5a576c008f9c4600d5
SHA10035236c630cfac40e90363873f2acf587dac8fd
SHA2565c81755884cb8d32574657f1e77bff8d02d0da285bd7a01e84e81bc308396511
SHA512accc4dff77795363cd0979b94a5cc4d8bf29ec86436504d009f9651461cd6eb6a64ead53a8b3b1b8d2443d502997735fc8ebff0a5f359ccd73b7d38b27f7a45b
-
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.batFilesize
379B
MD5c24006cc68e3537e0fc7554e9c27061f
SHA1536502f1214fb8f5f89514c1be7e262d9eb8f2ca
SHA2568cc0fed86e46c17fe9e4975aeccc69f03693a420af0d459d762b9c786fd52ed6
SHA5129c4f35cc589c7a1355b1c1a1a2239fb3600cf8e8a197eee6b0d176549178f5a88f56c0036d5e022dae642ac88e4d4ee26c513cef25366bb8c8c24fb45581a332
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exeFilesize
758KB
MD5cb1929328dea316fcb34f3486697d16e
SHA18c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA2567a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA51290ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.batFilesize
48B
MD5f96a95d4ab98914fa1240be122d6f93f
SHA11cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5
SHA2563cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67
SHA512a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbeFilesize
227B
MD56412c9c4ee86bb8143388e5616d1b7c2
SHA19a5ac602a0e3087439260b045c7c590586a6dac1
SHA256ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835
SHA512b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exeFilesize
1.1MB
MD5251de4b1e1bd67479d61328ad352fd95
SHA1c089659cc5f2a8ccb354cc5f2244910fceabcba8
SHA256507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890
SHA5121f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7
-
C:\Users\All Users\Microsoft\56085415360792Filesize
146B
MD5d03bd774a9b9f159b80a90218e625c22
SHA1398dea126ae62fc44f5a9204248b40a5664ed8ac
SHA256daa33c367f13b9ba1d5c5e7429dadebfcad367395270ee8178d55aaabd1c26ea
SHA51242619b417a6528535aa66587966d36b251fa48dd6af61202031367e4c885a20112d475145521c88e1ff9a4a21c824a7a6fd787666fbb4c642a1cae727336e1a7
-
C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\42af1c969fbb7bFilesize
400B
MD545519c2f3c73850faab1b2a91d384939
SHA1c8bd810b3376ee26fe47c0566138c695f86ce2a5
SHA25626c295b7e05db11be78dd3f3b90ff5a0c2b26309cf1aac70736336d5b6783605
SHA5125d8320bdfe5c502dc043aa35f27f62dbc8b0ace63ca89e07edd2d3d77f7dff34c44840a8d0fafc13e40c315e7878f3892284f7d8a442a43b5b0cdd3c4a446e30
-
C:\Users\All Users\Templates\0a1fd5f707cd16Filesize
454B
MD5c1fbd389b43ecc03ff7910fb12333bd0
SHA19cc65bec965d237880c8c9ef4090415fd0f7d500
SHA256dc633011026d9870f2e167b6f8ad73484c7a9acad8287a01e5dd7626df69d47a
SHA5121dbdac523de8612c620e3a30869a1c673b9a5d17b1a119e7373ab7a21eef0ef6b36b14c3816ff0eb498d051aacf337545a1afaaae35a9650f313d4a62e6d0196
-
C:\Users\Default User\c5b4cb5e9653ccFilesize
224B
MD5adbf41e2f10bf8f05f069ee0ed3b5347
SHA115aa311900aaa585b74b8abb98313d5229b8efa1
SHA25666f6c46e2f12295c4d9a2b5bf18767bf16cc8b8894a89de17b6230bc32d18370
SHA512ac4c32eb30d92305b510783222dbc94bda4929207d77ac41a1943b8d47880f951ea48990f8d4117dbac2fcabd7210c79e05460be07ed2e8e6c7ce89d6e61c23e
-
C:\Users\Public\Desktop\56085415360792Filesize
47B
MD5625ce673068a61c84b70b8ca8f516e19
SHA136c1e639aedfc1780cb07aa7198e9696d7d940ae
SHA2568c1c332ac8efa7907d655ca3dff297e5327fc765cb7ff7c06fba5d8827b1694c
SHA512df9138a3ea70022f04c66fb05ec52c8665c83e7439905e12d9ab12a6210b50f980f6607fc7351d8f9f002d0f136c148ed9cf2d085d1c6729831c53c80e8c3a7f
-
\Users\Admin\AppData\Roaming\DCRatBuild_protected.exeFilesize
2.5MB
MD583618e903d98ec133601e89c1a0e1702
SHA10eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b
SHA2563e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a
SHA51215de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb
-
\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exeFilesize
2.2MB
MD548e1d67ef1b8e21942e80ef139c49ab5
SHA1f6afc9a69a1f87e4eee7292d24baef715fee9edd
SHA256e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08
SHA51234498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2
-
memory/568-92-0x0000000000E10000-0x0000000000F3C000-memory.dmpFilesize
1.2MB
-
memory/1732-42-0x0000000003DF0000-0x00000000041F3000-memory.dmpFilesize
4.0MB
-
memory/2080-63-0x00000000004A0000-0x00000000004B0000-memory.dmpFilesize
64KB
-
memory/2080-65-0x0000000000B10000-0x0000000000B1C000-memory.dmpFilesize
48KB
-
memory/2080-64-0x0000000000860000-0x000000000086A000-memory.dmpFilesize
40KB
-
memory/2080-62-0x0000000000630000-0x000000000064C000-memory.dmpFilesize
112KB
-
memory/2080-61-0x0000000001150000-0x000000000127C000-memory.dmpFilesize
1.2MB
-
memory/2260-54-0x0000000000BD0000-0x0000000000FD3000-memory.dmpFilesize
4.0MB
-
memory/2260-43-0x0000000000BD0000-0x0000000000FD3000-memory.dmpFilesize
4.0MB
-
memory/2784-45-0x0000000001120000-0x00000000011E4000-memory.dmpFilesize
784KB