dcrat | 25676c8823526376763d08d0b7a835ca9f989676ad07e7dea8f1e66556ff7ac4

General

Target

2fd91fb204ecbf2d457ecba27ac0d150N.exe
Size

827KB
MD5

2fd91fb204ecbf2d457ecba27ac0d150
SHA1

e748460f2c9b8d4c95fe38b75b6ad7fa7709907d
SHA256

25676c8823526376763d08d0b7a835ca9f989676ad07e7dea8f1e66556ff7ac4
SHA512

ac1d50644567baf4f9e0bfef29297a992826fd2fec70ab9bc6243c666479a810372b768299545d64d15e4321ae75948ea1a6fb8d062eb6b475481b181822cd84
SSDEEP

12288:7sW6tROk7uzV48iOC4rmQTgki80axC06XQxBnLFxja1a40ms:7gT7uzVtrm8XC0f/Jxja1E

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2696	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3604-0-0x0000000000980000-0x0000000000A56000-memory.dmp	dcrat
C:\Recovery\WindowsRE\explorer.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	2fd91fb204ecbf2d457ecba27ac0d150N.exe

Executes dropped EXE 1 IoCs

Processes:

backgroundTaskHost.exe

pid process

4480 backgroundTaskHost.exe

pid	process
4480	backgroundTaskHost.exe

Drops file in Program Files directory 17 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\eddb19405b7ce1	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ea9f0e6c9e2dcd	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\ee2ad38f3d4382	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Java\fontdrvhost.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Java\5b884080fd4f94	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files (x86)\Google\Temp\eddb19405b7ce1	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\fontdrvhost.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\Registry.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e1ef82546f0b02	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\5b884080fd4f94	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6ccacd8608530f	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe

Drops file in Windows directory 4 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exe

description	ioc	process
File created	C:\Windows\DigitalLocker\en-US\unsecapp.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Windows\DigitalLocker\en-US\29c1c3cc0f7685	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Windows\PrintDialog\en-US\unsecapp.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe
File created	C:\Windows\SystemResources\Windows.ParentalControlsSettings\Images\taskhostw.exe	2fd91fb204ecbf2d457ecba27ac0d150N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	2fd91fb204ecbf2d457ecba27ac0d150N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3328	schtasks.exe
968	schtasks.exe
2528	schtasks.exe
2436	schtasks.exe
216	schtasks.exe
2036	schtasks.exe
2988	schtasks.exe
4820	schtasks.exe
2080	schtasks.exe
1568	schtasks.exe
3068	schtasks.exe
3476	schtasks.exe
5024	schtasks.exe
2572	schtasks.exe
3264	schtasks.exe
4088	schtasks.exe
1660	schtasks.exe
4976	schtasks.exe
5000	schtasks.exe
3192	schtasks.exe
4748	schtasks.exe
4264	schtasks.exe
2072	schtasks.exe
1144	schtasks.exe
3448	schtasks.exe
4268	schtasks.exe
1396	schtasks.exe
912	schtasks.exe
3640	schtasks.exe
212	schtasks.exe
1312	schtasks.exe
716	schtasks.exe
3588	schtasks.exe
2052	schtasks.exe
2576	schtasks.exe
1848	schtasks.exe
3768	schtasks.exe
1448	schtasks.exe
4248	schtasks.exe
4440	schtasks.exe
3920	schtasks.exe
4504	schtasks.exe
1672	schtasks.exe
5088	schtasks.exe
2632	schtasks.exe
2892	schtasks.exe
2812	schtasks.exe
220	schtasks.exe
3240	schtasks.exe
976	schtasks.exe
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exebackgroundTaskHost.exe

pid	process
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
4480	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.exebackgroundTaskHost.exe

description pid process

Token: SeDebugPrivilege 3604 2fd91fb204ecbf2d457ecba27ac0d150N.exe
Token: SeDebugPrivilege 4480 backgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe
Token: SeDebugPrivilege	4480	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2fd91fb204ecbf2d457ecba27ac0d150N.execmd.exe

description	pid	process	target process
PID 3604 wrote to memory of 3784	3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe	cmd.exe
PID 3604 wrote to memory of 3784	3604	2fd91fb204ecbf2d457ecba27ac0d150N.exe	cmd.exe
PID 3784 wrote to memory of 1948	3784	cmd.exe	w32tm.exe
PID 3784 wrote to memory of 1948	3784	cmd.exe	w32tm.exe
PID 3784 wrote to memory of 4480	3784	cmd.exe	backgroundTaskHost.exe
PID 3784 wrote to memory of 4480	3784	cmd.exe	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2fd91fb204ecbf2d457ecba27ac0d150N.exe
"C:\Users\Admin\AppData\Local\Temp\2fd91fb204ecbf2d457ecba27ac0d150N.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kqSiVBBxH.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1948

C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe
"C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\SIGNUP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\3D Objects\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fd91fb204ecbf2d457ecba27ac0d150N2" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\2fd91fb204ecbf2d457ecba27ac0d150N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fd91fb204ecbf2d457ecba27ac0d150N" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\2fd91fb204ecbf2d457ecba27ac0d150N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2fd91fb204ecbf2d457ecba27ac0d150N2" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Contacts\2fd91fb204ecbf2d457ecba27ac0d150N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\explorer.exe

Filesize
827KB

MD5
2fd91fb204ecbf2d457ecba27ac0d150

SHA1
e748460f2c9b8d4c95fe38b75b6ad7fa7709907d

SHA256
25676c8823526376763d08d0b7a835ca9f989676ad07e7dea8f1e66556ff7ac4

SHA512
ac1d50644567baf4f9e0bfef29297a992826fd2fec70ab9bc6243c666479a810372b768299545d64d15e4321ae75948ea1a6fb8d062eb6b475481b181822cd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kqSiVBBxH.bat

Filesize
222B

MD5
77916f9d3ea5f9075f5c87bc81ebb1fb

SHA1
22ce5ef313fed634c5ce010b400b7273d4711645

SHA256
58def6134e26c5b88101cd8631585f1167b67fa16d4d062d3ef6ebc23d76acc4

SHA512
8044d95082093565dd58df6a16017b1fecb74a5a254b0ce616f30792866dbf91d56518534cfc123724c9c3544e8185f3bca85d50b9be7907998c87a8b4da5171

Download Submit
memory/3604-0-0x0000000000980000-0x0000000000A56000-memory.dmp

Filesize
856KB

Download
memory/3604-1-0x00007FFE87603000-0x00007FFE87605000-memory.dmp

Filesize
8KB

Download
memory/3604-2-0x00007FFE87600000-0x00007FFE880C1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-42-0x00007FFE87600000-0x00007FFE880C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads