dcrat | 59587a702b395acaad29b4cd695d7c236ef19dba0375ad16010e7a170dc90929

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

488291ee16052448a88ff5f4b4ff7472.exe
Size

828KB
MD5

488291ee16052448a88ff5f4b4ff7472
SHA1

b7f7a100fd8f36501de1fec9f277aa7f73918c15
SHA256

59587a702b395acaad29b4cd695d7c236ef19dba0375ad16010e7a170dc90929
SHA512

050af158ba434d95cc4e520675c1fc9c9079103ae9af853615044aa2df8d0f8990fc0da095fe7334c82897d3a303cc386298e9133479bd6a39bebb1245d28108
SSDEEP

12288:u9V+q0VaZWcItdHp6yY9gNmNpsrx5fpgEYjqnK9cG:gXeaZWrHp6wcYFbZYeKt

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3516	schtasks.exe
File created	C:\Windows\AppReadiness\e1ef82546f0b02		488291ee16052448a88ff5f4b4ff7472.exe
		1604	schtasks.exe
		4792	schtasks.exe
		3988	schtasks.exe
		4272	schtasks.exe
		4888	schtasks.exe
		4988	schtasks.exe
		852	schtasks.exe
		4716	schtasks.exe
		4344	schtasks.exe
		2944	schtasks.exe
		3208	schtasks.exe
		4592	schtasks.exe
		4360	schtasks.exe
		2740	schtasks.exe
		1756	schtasks.exe
		2076	schtasks.exe
		4468	schtasks.exe
		1356	schtasks.exe
		3340	schtasks.exe
		3112	schtasks.exe
		4480	schtasks.exe
		3356	schtasks.exe
		3080	schtasks.exe
		3692	schtasks.exe
		1100	schtasks.exe
		3692	schtasks.exe
		4388	schtasks.exe
		2284	schtasks.exe
		4636	schtasks.exe
		2420	schtasks.exe
		3620	schtasks.exe
		3548	schtasks.exe
		4436	schtasks.exe
		744	schtasks.exe
		3900	schtasks.exe
		3844	schtasks.exe
		2376	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\eddb19405b7ce1		488291ee16052448a88ff5f4b4ff7472.exe
		3864	schtasks.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	2672	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2672	schtasks.exe	91

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4988-1-0x0000000000F10000-0x0000000000FE6000-memory.dmp	dcrat
behavioral2/files/0x00060000000226c6-19.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	488291ee16052448a88ff5f4b4ff7472.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	488291ee16052448a88ff5f4b4ff7472.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	upfc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\e6c9b481da804f	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\backgroundTaskHost.exe	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\eddb19405b7ce1	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Program Files\Google\Chrome\OfficeClickToRun.exe	488291ee16052448a88ff5f4b4ff7472.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHT\lsass.exe	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Windows\InputMethod\CHT\6203df4a6bafc7	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Windows\AppReadiness\SppExtComObj.exe	488291ee16052448a88ff5f4b4ff7472.exe
File created	C:\Windows\AppReadiness\e1ef82546f0b02	488291ee16052448a88ff5f4b4ff7472.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	488291ee16052448a88ff5f4b4ff7472.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	488291ee16052448a88ff5f4b4ff7472.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3080	schtasks.exe
4480	schtasks.exe
3356	schtasks.exe
3692	schtasks.exe
4888	schtasks.exe
3900	schtasks.exe
1100	schtasks.exe
3620	schtasks.exe
2740	schtasks.exe
4272	schtasks.exe
4988	schtasks.exe
744	schtasks.exe
3692	schtasks.exe
3844	schtasks.exe
3864	schtasks.exe
2420	schtasks.exe
4716	schtasks.exe
852	schtasks.exe
4592	schtasks.exe
3208	schtasks.exe
4388	schtasks.exe
4436	schtasks.exe
4636	schtasks.exe
4468	schtasks.exe
3548	schtasks.exe
2944	schtasks.exe
4360	schtasks.exe
1756	schtasks.exe
2376	schtasks.exe
1356	schtasks.exe
1604	schtasks.exe
4344	schtasks.exe
2076	schtasks.exe
2284	schtasks.exe
3340	schtasks.exe
4792	schtasks.exe
3988	schtasks.exe
3516	schtasks.exe
3112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4988	488291ee16052448a88ff5f4b4ff7472.exe
4988	488291ee16052448a88ff5f4b4ff7472.exe
4988	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
4848	488291ee16052448a88ff5f4b4ff7472.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe
1460	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1460	upfc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	488291ee16052448a88ff5f4b4ff7472.exe
Token: SeDebugPrivilege	4848	488291ee16052448a88ff5f4b4ff7472.exe
Token: SeDebugPrivilege	1460	upfc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 944	4988	488291ee16052448a88ff5f4b4ff7472.exe	104
PID 4988 wrote to memory of 944	4988	488291ee16052448a88ff5f4b4ff7472.exe	104
PID 944 wrote to memory of 2576	944	cmd.exe	106
PID 944 wrote to memory of 2576	944	cmd.exe	106
PID 944 wrote to memory of 4848	944	cmd.exe	114
PID 944 wrote to memory of 4848	944	cmd.exe	114
PID 4848 wrote to memory of 3680	4848	488291ee16052448a88ff5f4b4ff7472.exe	143
PID 4848 wrote to memory of 3680	4848	488291ee16052448a88ff5f4b4ff7472.exe	143
PID 3680 wrote to memory of 3048	3680	cmd.exe	145
PID 3680 wrote to memory of 3048	3680	cmd.exe	145
PID 3680 wrote to memory of 1460	3680	cmd.exe	148
PID 3680 wrote to memory of 1460	3680	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\488291ee16052448a88ff5f4b4ff7472.exe
"C:\Users\Admin\AppData\Local\Temp\488291ee16052448a88ff5f4b4ff7472.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NwzpsYg2oT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\488291ee16052448a88ff5f4b4ff7472.exe
    "C:\Users\Admin\AppData\Local\Temp\488291ee16052448a88ff5f4b4ff7472.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G5VpR7fKyq.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3048
    - - C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHT\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\upfc.exe

Filesize
828KB

MD5
488291ee16052448a88ff5f4b4ff7472

SHA1
b7f7a100fd8f36501de1fec9f277aa7f73918c15

SHA256
59587a702b395acaad29b4cd695d7c236ef19dba0375ad16010e7a170dc90929

SHA512
050af158ba434d95cc4e520675c1fc9c9079103ae9af853615044aa2df8d0f8990fc0da095fe7334c82897d3a303cc386298e9133479bd6a39bebb1245d28108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\488291ee16052448a88ff5f4b4ff7472.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\G5VpR7fKyq.bat

Filesize
195B

MD5
9eb2785a7280438d34c5b7099a01cd55

SHA1
5910d6a1c8cabaa98005b600ae54094850be8634

SHA256
111ba4296b1457fa260cebbd7a0b3da53584ff97be748ba878b83fb3122f0608

SHA512
8f2255300558b78db0abc217b57092b7b761c2c305d57f0e3221d0e869a3e720c075e618a948886ba9d0129dea4db92de9c5ed4ce871704e7e5995775fa74844

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwzpsYg2oT.bat

Filesize
235B

MD5
10ff6701dc116878a85ae1fe0dfa239d

SHA1
42fe87d00de49e4d25f1ee99df9a92eacd51cc4b

SHA256
673042a9f6d29b00278411491fdc5a715ed4dde383ca5c1d3b8bf1c328b4d2a8

SHA512
057c57997c3b3e72caa8de99c2beeeea88bb7e11bcf83be45e3c2f9ad9fd2575bd6eef247b185b1ce829297f074d1f996358753d7c29e357ff14c91011bdd24d

Download Submit
memory/1460-45-0x000000001B590000-0x000000001B692000-memory.dmp

Filesize
1.0MB

Download
memory/4988-0-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

Filesize
8KB

Download
memory/4988-1-0x0000000000F10000-0x0000000000FE6000-memory.dmp

Filesize
856KB

Download
memory/4988-4-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4988-16-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download