dcrat | bb6526c31dfdace774220f96adcf80ac80cdc76eddf542a024825663dd37823a

General

Target

206c5e527a6a213821a20e837f3bec32.exe
Size

1.4MB
MD5

206c5e527a6a213821a20e837f3bec32
SHA1

5aafbe435d20a9acc7285220f0ad1b04527bebd9
SHA256

bb6526c31dfdace774220f96adcf80ac80cdc76eddf542a024825663dd37823a
SHA512

545e7fe3afd65cc08792668008862e2da1529b3747278d188a20e6fec1c1e994c5c41ea18366453b3b1fb34b7306bceb6d12b4e0506e2d2b0291d94761426e6c
SSDEEP

24576:b2G/nvxW3W8WKDaI4Cm9Sakqs8r+jptkTxfWrKpfVYtYPtbv2bVVn/mh:bbA3ZDaI4CMkLuAUurKYYPtTEVVn0

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

agentbrowserref.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe206c5e527a6a213821a20e837f3bec32.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	agentbrowserref.exe
2704	schtasks.exe
3048	schtasks.exe
2432	schtasks.exe
1328	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	206c5e527a6a213821a20e837f3bec32.exe
2712	schtasks.exe
2572	schtasks.exe
1532	schtasks.exe
2344	schtasks.exe
1276	schtasks.exe
848	schtasks.exe
1528	schtasks.exe
2488	schtasks.exe
936	schtasks.exe
1884	schtasks.exe
812	schtasks.exe
2132	schtasks.exe
2696	schtasks.exe
2148	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

agentbrowserref.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Users\\Admin\\Music\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\taskhost.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\csrss.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\dllhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Users\\Admin\\Music\\lsass.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Users\\Admin\\Music\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Users\\Admin\\Music\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\taskhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Users\\Admin\\Music\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\taskhost.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\csrss.exe\""	agentbrowserref.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2636	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2636	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\providerwebdriver\agentbrowserref.exe	dcrat
behavioral1/memory/2904-13-0x00000000010B0000-0x00000000011D6000-memory.dmp	dcrat
behavioral1/memory/1148-36-0x00000000010E0000-0x0000000001206000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

agentbrowserref.exedllhost.exe

pid process

2904 agentbrowserref.exe
1148 dllhost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2760 cmd.exe
2760 cmd.exe

pid	process
2904	agentbrowserref.exe
1148	dllhost.exe

pid	process
2760	cmd.exe
2760	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

agentbrowserref.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\dllhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Music\\lsass.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\taskhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\taskhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\csrss.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\csrss.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\dllhost.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Music\\lsass.exe\""	agentbrowserref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\lsass.exe\""	agentbrowserref.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
3 pastebin.com

flow	ioc
2	pastebin.com
3	pastebin.com

Drops file in Program Files directory 7 IoCs

Processes:

agentbrowserref.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\taskhost.exe	agentbrowserref.exe
File created	C:\Program Files (x86)\Windows Sidebar\b75386f1303e64	agentbrowserref.exe
File created	C:\Program Files\Uninstall Information\System.exe	agentbrowserref.exe
File opened for modification	C:\Program Files\Uninstall Information\System.exe	agentbrowserref.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	agentbrowserref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe	agentbrowserref.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6203df4a6bafc7	agentbrowserref.exe

Drops file in Windows directory 2 IoCs

Processes:

agentbrowserref.exe

description	ioc	process
File created	C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe	agentbrowserref.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\5940a34987c991	agentbrowserref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe206c5e527a6a213821a20e837f3bec32.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	206c5e527a6a213821a20e837f3bec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2712	schtasks.exe
2148	schtasks.exe
3048	schtasks.exe
2132	schtasks.exe
1276	schtasks.exe
812	schtasks.exe
1532	schtasks.exe
2696	schtasks.exe
2432	schtasks.exe
1328	schtasks.exe
1528	schtasks.exe
2572	schtasks.exe
936	schtasks.exe
2488	schtasks.exe
2704	schtasks.exe
2344	schtasks.exe
1884	schtasks.exe
848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

agentbrowserref.exedllhost.exe

pid process

2904 agentbrowserref.exe
2904 agentbrowserref.exe
2904 agentbrowserref.exe
2904 agentbrowserref.exe
2904 agentbrowserref.exe
1148 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentbrowserref.exedllhost.exe

description pid process

Token: SeDebugPrivilege 2904 agentbrowserref.exe
Token: SeDebugPrivilege 1148 dllhost.exe

pid	process
2904	agentbrowserref.exe
2904	agentbrowserref.exe
2904	agentbrowserref.exe
2904	agentbrowserref.exe
2904	agentbrowserref.exe
1148	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	2904	agentbrowserref.exe
Token: SeDebugPrivilege	1148	dllhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

206c5e527a6a213821a20e837f3bec32.exeWScript.execmd.exeagentbrowserref.execmd.exe

description	pid	process	target process
PID 828 wrote to memory of 2168	828	206c5e527a6a213821a20e837f3bec32.exe	WScript.exe
PID 828 wrote to memory of 2168	828	206c5e527a6a213821a20e837f3bec32.exe	WScript.exe
PID 828 wrote to memory of 2168	828	206c5e527a6a213821a20e837f3bec32.exe	WScript.exe
PID 828 wrote to memory of 2168	828	206c5e527a6a213821a20e837f3bec32.exe	WScript.exe
PID 2168 wrote to memory of 2760	2168	WScript.exe	cmd.exe
PID 2168 wrote to memory of 2760	2168	WScript.exe	cmd.exe
PID 2168 wrote to memory of 2760	2168	WScript.exe	cmd.exe
PID 2168 wrote to memory of 2760	2168	WScript.exe	cmd.exe
PID 2760 wrote to memory of 2904	2760	cmd.exe	agentbrowserref.exe
PID 2760 wrote to memory of 2904	2760	cmd.exe	agentbrowserref.exe
PID 2760 wrote to memory of 2904	2760	cmd.exe	agentbrowserref.exe
PID 2760 wrote to memory of 2904	2760	cmd.exe	agentbrowserref.exe
PID 2904 wrote to memory of 1152	2904	agentbrowserref.exe	cmd.exe
PID 2904 wrote to memory of 1152	2904	agentbrowserref.exe	cmd.exe
PID 2904 wrote to memory of 1152	2904	agentbrowserref.exe	cmd.exe
PID 1152 wrote to memory of 2248	1152	cmd.exe	w32tm.exe
PID 1152 wrote to memory of 2248	1152	cmd.exe	w32tm.exe
PID 1152 wrote to memory of 2248	1152	cmd.exe	w32tm.exe
PID 1152 wrote to memory of 1148	1152	cmd.exe	dllhost.exe
PID 1152 wrote to memory of 1148	1152	cmd.exe	dllhost.exe
PID 1152 wrote to memory of 1148	1152	cmd.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\206c5e527a6a213821a20e837f3bec32.exe
"C:\Users\Admin\AppData\Local\Temp\206c5e527a6a213821a20e837f3bec32.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providerwebdriver\lt1HIykJHsizol4IGJ3xU.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providerwebdriver\aSC9EG1DRgk4rAYE.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760

C:\providerwebdriver\agentbrowserref.exe
"C:\providerwebdriver\agentbrowserref.exe"
4⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIydqsPh60.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2248

C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe
"C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iIydqsPh60.bat

Filesize
217B

MD5
653d9575c94897113c574a11568b8c24

SHA1
5b63a96f2e3902aaee3c4d6ac1f7285269ed7055

SHA256
3a7c506db5c565de84c81a40cb318d6ca9be554a208c7721f0c6db1d9320f9a5

SHA512
b20e4a57368bfa85b3be44fda8cadafdb9b143104269e3b98e22758546def940e5b4a6220a05b82478aca99428305eca770e98253c1ede7791cae3133ec049a2

Download Submit
C:\providerwebdriver\aSC9EG1DRgk4rAYE.bat

Filesize
42B

MD5
19c9823c05dd0974235575fd165a6739

SHA1
550aad4e014d68c1eebb15c2ac5a96bc0f7e7113

SHA256
9e9193ceb85d23b6c5afc1335c634d4818ce8ca81577f82d13d60b35eda8d826

SHA512
f8ef7c7e883533452f8336b51be19cea8aa619a7aeacfc629ff8fcaadfef52ecbdc9b779fb2e2ecd3e60b5062cb56ff5875bb08af61307ae6f0c90054ec1544c

Download Submit
C:\providerwebdriver\lt1HIykJHsizol4IGJ3xU.vbe

Filesize
210B

MD5
8c54d0dda4ddc9e2e7d344a9b2168028

SHA1
c8dbf176ec65a67358a0d9c3f0a69166d4427b1c

SHA256
e1ee3be209a9f6ff15082d3641c1f680751b58c19d2323c21b2a24969b83fd1a

SHA512
a68b1feb1f36e581a0b40c423d2d49872b3dc238eaaa49c32deaf89d18c18f450bbfaafa8e2ba5299398cda93df63f1c8817a312a977495f4b551e3f36b55a32

Download Submit
\providerwebdriver\agentbrowserref.exe

Filesize
1.1MB

MD5
77e69ac18f27a50fb2a8ee497ef218d3

SHA1
92dd7952a16b8751141b2bb8ac65dcfded39fbc3

SHA256
18a60a54223633e6372e9c3eb09423a10d054ca46924963e3708837376891e45

SHA512
75e67340b4b16267e7b503da84081bd36858cb75cb36acf878a8ef5f2d179ad8ec43c11e14443c20426ab3cef97e7573e2639a511f45bfa5f7061df591485b9c

Download Submit
memory/1148-36-0x00000000010E0000-0x0000000001206000-memory.dmp

Filesize
1.1MB

Download
memory/2904-13-0x00000000010B0000-0x00000000011D6000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2904-15-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads