dcrat | 365ea7fd9bbe7ca9812eb77fe015d546ebd99a643746ad48cded7dd244bc3540

Analysis

max time kernel
115s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9253fd99b1e3519bae562e6807f8bb0N.exe
Size

2.3MB
MD5

b9253fd99b1e3519bae562e6807f8bb0
SHA1

7932803ddc64b7411eb697d5f91d59f2bfd08800
SHA256

365ea7fd9bbe7ca9812eb77fe015d546ebd99a643746ad48cded7dd244bc3540
SHA512

0fff0b99fc2570040668dad7b5f3e368bdebdb314ac97daa6d402d649b4ffa1859dbd28d95364fd28480b0887de10f83ef0e1b21d40f23290fd908f214c58c8a
SSDEEP

49152:5uG1LzwL/5XkkofdmHMR7OW3vuKzNYMFjUKJyBWA:5b1L+RNofd17gelFv

Score

10^/10

dcrat credential_access infostealer rat spyware stealer

Malware Config

Signatures

DcRat 47 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2872	schtasks.exe
File created	C:\Windows\Globalization\Sorting\c5b4cb5e9653cc		b9253fd99b1e3519bae562e6807f8bb0N.exe
		2028	schtasks.exe
		988	schtasks.exe
		1508	schtasks.exe
		2472	schtasks.exe
		2908	schtasks.exe
		1856	schtasks.exe
		2936	schtasks.exe
		404	schtasks.exe
		3020	schtasks.exe
		2912	schtasks.exe
		2528	schtasks.exe
		2464	schtasks.exe
		2984	schtasks.exe
		1784	schtasks.exe
		2760	schtasks.exe
		2248	schtasks.exe
		1528	schtasks.exe
		692	schtasks.exe
		1352	schtasks.exe
		1768	schtasks.exe
		1880	schtasks.exe
		2708	schtasks.exe
		2564	schtasks.exe
		3032	schtasks.exe
		3024	schtasks.exe
		944	schtasks.exe
		912	schtasks.exe
		2968	schtasks.exe
		1648	schtasks.exe
File created	C:\Windows\tracing\b75386f1303e64		b9253fd99b1e3519bae562e6807f8bb0N.exe
		2916	schtasks.exe
		2944	schtasks.exe
		1260	schtasks.exe
		308	schtasks.exe
		1736	schtasks.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\886983d96e3d3e		b9253fd99b1e3519bae562e6807f8bb0N.exe
		1632	schtasks.exe
		2376	schtasks.exe
		1200	schtasks.exe
		3008	schtasks.exe
		1708	schtasks.exe
		332	schtasks.exe
		3052	schtasks.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe		b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files (x86)\Google\1610b97d3ab4a7		b9253fd99b1e3519bae562e6807f8bb0N.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1240	schtasks.exe	30

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2868-1-0x0000000000880000-0x0000000000AD2000-memory.dmp	dcrat
behavioral1/files/0x0005000000019396-18.dat	dcrat
behavioral1/memory/584-30-0x00000000002E0000-0x0000000000532000-memory.dmp	dcrat
behavioral1/memory/768-51-0x0000000001140000-0x0000000001392000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
768	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\56085415360792	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\886983d96e3d3e	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files (x86)\Google\OSPPSVC.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files (x86)\Google\1610b97d3ab4a7	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Program Files\Common Files\Services\wininit.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Sorting\services.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Windows\Globalization\Sorting\c5b4cb5e9653cc	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Windows\tracing\taskhost.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Windows\tracing\b75386f1303e64	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Windows\debug\spoolsv.exe	b9253fd99b1e3519bae562e6807f8bb0N.exe
File created	C:\Windows\debug\f3b6ecef712a24	b9253fd99b1e3519bae562e6807f8bb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
3020	schtasks.exe
2472	schtasks.exe
1880	schtasks.exe
3052	schtasks.exe
1508	schtasks.exe
1856	schtasks.exe
3024	schtasks.exe
2936	schtasks.exe
1784	schtasks.exe
1736	schtasks.exe
1768	schtasks.exe
1648	schtasks.exe
332	schtasks.exe
2760	schtasks.exe
944	schtasks.exe
988	schtasks.exe
1632	schtasks.exe
3032	schtasks.exe
2376	schtasks.exe
3008	schtasks.exe
1528	schtasks.exe
2912	schtasks.exe
692	schtasks.exe
2968	schtasks.exe
2248	schtasks.exe
2028	schtasks.exe
1200	schtasks.exe
2944	schtasks.exe
404	schtasks.exe
308	schtasks.exe
2984	schtasks.exe
2872	schtasks.exe
1352	schtasks.exe
1260	schtasks.exe
912	schtasks.exe
1708	schtasks.exe
2708	schtasks.exe
2528	schtasks.exe
2908	schtasks.exe
2464	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2868	b9253fd99b1e3519bae562e6807f8bb0N.exe
584	b9253fd99b1e3519bae562e6807f8bb0N.exe
584	b9253fd99b1e3519bae562e6807f8bb0N.exe
584	b9253fd99b1e3519bae562e6807f8bb0N.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe
768	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	b9253fd99b1e3519bae562e6807f8bb0N.exe
Token: SeDebugPrivilege	584	b9253fd99b1e3519bae562e6807f8bb0N.exe
Token: SeDebugPrivilege	768	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2432	2868	b9253fd99b1e3519bae562e6807f8bb0N.exe	52
PID 2868 wrote to memory of 2432	2868	b9253fd99b1e3519bae562e6807f8bb0N.exe	52
PID 2868 wrote to memory of 2432	2868	b9253fd99b1e3519bae562e6807f8bb0N.exe	52
PID 2432 wrote to memory of 984	2432	cmd.exe	54
PID 2432 wrote to memory of 984	2432	cmd.exe	54
PID 2432 wrote to memory of 984	2432	cmd.exe	54
PID 2432 wrote to memory of 584	2432	cmd.exe	55
PID 2432 wrote to memory of 584	2432	cmd.exe	55
PID 2432 wrote to memory of 584	2432	cmd.exe	55
PID 584 wrote to memory of 768	584	b9253fd99b1e3519bae562e6807f8bb0N.exe	77
PID 584 wrote to memory of 768	584	b9253fd99b1e3519bae562e6807f8bb0N.exe	77
PID 584 wrote to memory of 768	584	b9253fd99b1e3519bae562e6807f8bb0N.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9253fd99b1e3519bae562e6807f8bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\b9253fd99b1e3519bae562e6807f8bb0N.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH69IYnrzq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:984
- - C:\Users\Admin\AppData\Local\Temp\b9253fd99b1e3519bae562e6807f8bb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b9253fd99b1e3519bae562e6807f8bb0N.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\winlogon.exe
      "C:\Users\Admin\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Sorting\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\c2c7a482-4e07-11ef-923c-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EH69IYnrzq.bat

Filesize
236B

MD5
9703895a997102832f4b7f66daf1f3b8

SHA1
bc93b8ab45465be50375475fca0c05da85fcc141

SHA256
99ad7fb2bcc87f86d8d0990af3b8e5d4dbdafb32449c3b649f2f60b11dd7035f

SHA512
f1b450fe7ac097bc4dc5601ace8713ee195dff492e82dcef171dfcf6709abb37f3c1e7352ebd2153699b4c6256d7e2346136c50f9aaf7247b8faaf90c4ca047a

Download Submit
C:\Windows\Globalization\Sorting\services.exe

Filesize
2.3MB

MD5
b9253fd99b1e3519bae562e6807f8bb0

SHA1
7932803ddc64b7411eb697d5f91d59f2bfd08800

SHA256
365ea7fd9bbe7ca9812eb77fe015d546ebd99a643746ad48cded7dd244bc3540

SHA512
0fff0b99fc2570040668dad7b5f3e368bdebdb314ac97daa6d402d649b4ffa1859dbd28d95364fd28480b0887de10f83ef0e1b21d40f23290fd908f214c58c8a

Download Submit
memory/584-30-0x00000000002E0000-0x0000000000532000-memory.dmp

Filesize
2.3MB

Download
memory/768-52-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/768-51-0x0000000001140000-0x0000000001392000-memory.dmp

Filesize
2.3MB

Download
memory/2868-8-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/2868-6-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2868-7-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2868-0-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

Filesize
4KB

Download
memory/2868-9-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2868-5-0x00000000007A0000-0x00000000007F6000-memory.dmp

Filesize
344KB

Download
memory/2868-4-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2868-29-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-3-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/2868-2-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-1-0x0000000000880000-0x0000000000AD2000-memory.dmp

Filesize
2.3MB

Download