dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

General

Target

12dcc1cafbf752f84a12d3bed14cd6e2.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1936	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1936	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2388-1-0x0000000000660000-0x0000000000908000-memory.dmp	dcrat
C:\Users\Default\Registry.exe	dcrat
C:\Recovery\WindowsRE\RCXA34A.tmp	dcrat
C:\Windows\addins\csrss.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

876 winlogon.exe

pid	process
876	winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 25 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Common Files\Adobe\f3b6ecef712a24	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\upfc.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ea1d8f6d871115	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA134.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXABCD.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXABED.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXB093.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\dllhost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXBCE1.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXC719.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\StartMenuExperienceHost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Common Files\Adobe\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\55b276f4edf653	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\upfc.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA124.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXBCD0.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXC71A.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\29c1c3cc0f7685	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\dllhost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\5940a34987c991	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\StartMenuExperienceHost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXB094.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Drops file in Windows directory 10 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exe

description	ioc	process
File opened for modification	C:\Windows\addins\RCXC498.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\addins\csrss.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\Setup\State\12dcc1cafbf752f84a12d3bed14cd6e2.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\addins\csrss.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\addins\886983d96e3d3e	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\Setup\State\RCXBF83.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\Setup\State\12dcc1cafbf752f84a12d3bed14cd6e2.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\addins\RCXC41A.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\Setup\State\958771030bb463	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\Setup\State\RCXBF05.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2596	schtasks.exe
3480	schtasks.exe
2468	schtasks.exe
2784	schtasks.exe
2148	schtasks.exe
2208	schtasks.exe
4428	schtasks.exe
1508	schtasks.exe
1348	schtasks.exe
448	schtasks.exe
4316	schtasks.exe
4844	schtasks.exe
1196	schtasks.exe
5080	schtasks.exe
3076	schtasks.exe
3924	schtasks.exe
4592	schtasks.exe
2068	schtasks.exe
4076	schtasks.exe
1088	schtasks.exe
216	schtasks.exe
4916	schtasks.exe
3424	schtasks.exe
760	schtasks.exe
2096	schtasks.exe
3920	schtasks.exe
3632	schtasks.exe
3184	schtasks.exe
3996	schtasks.exe
2804	schtasks.exe
3152	schtasks.exe
4304	schtasks.exe
2084	schtasks.exe
4744	schtasks.exe
812	schtasks.exe
4540	schtasks.exe
3392	schtasks.exe
2168	schtasks.exe
3132	schtasks.exe
2212	schtasks.exe
2064	schtasks.exe
2864	schtasks.exe
4700	schtasks.exe
4484	schtasks.exe
2024	schtasks.exe
2192	schtasks.exe
3012	schtasks.exe
3640	schtasks.exe
3408	schtasks.exe
4572	schtasks.exe
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exewinlogon.exe

pid	process
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe
876	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

876 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 2388 12dcc1cafbf752f84a12d3bed14cd6e2.exe
Token: SeDebugPrivilege 876 winlogon.exe

pid	process
876	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Token: SeDebugPrivilege	876	winlogon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exe

description	pid	process	target process
PID 2388 wrote to memory of 876	2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe	winlogon.exe
PID 2388 wrote to memory of 876	2388	12dcc1cafbf752f84a12d3bed14cd6e2.exe	winlogon.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

12dcc1cafbf752f84a12d3bed14cd6e2.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe
"C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388
- C:\Users\Default\Recent\winlogon.exe
  "C:\Users\Default\Recent\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Links\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e2" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e2" /sc ONLOGON /tr "'C:\Windows\Setup\State\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e2" /sc ONLOGON /tr "'C:\Users\All Users\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXA34A.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
C:\Users\Default\Registry.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Windows\addins\csrss.exe

Filesize
2.6MB

MD5
bd0d147ea332d3299cc84b0259190fdd

SHA1
e77f4b1597c6222b7cf8a1922e3b6c76f31b795e

SHA256
a51646456949e5d2ba565efa6c27184c5f1eedfed0ea666d09e4a1bb575ae0b8

SHA512
1fd7c2ae776a545bee43599e3f329fe7fb05bea07d0fc86515aabb5aece63af34914c1e160b5a7fbe4b1210867b400b4b77fb6a1980b5a7254f57b05c56f4dce

Download Submit
memory/876-310-0x000000001B610000-0x000000001B666000-memory.dmp

Filesize
344KB

Download
memory/2388-6-0x0000000001650000-0x0000000001658000-memory.dmp

Filesize
32KB

Download
memory/2388-15-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

Filesize
32KB

Download
memory/2388-7-0x0000000001660000-0x0000000001670000-memory.dmp

Filesize
64KB

Download
memory/2388-0-0x00007FF9430B3000-0x00007FF9430B5000-memory.dmp

Filesize
8KB

Download
memory/2388-10-0x000000001B5A0000-0x000000001B5AA000-memory.dmp

Filesize
40KB

Download
memory/2388-9-0x000000001B580000-0x000000001B588000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x0000000001670000-0x0000000001686000-memory.dmp

Filesize
88KB

Download
memory/2388-11-0x000000001B620000-0x000000001B676000-memory.dmp

Filesize
344KB

Download
memory/2388-12-0x000000001B590000-0x000000001B598000-memory.dmp

Filesize
32KB

Download
memory/2388-13-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

Filesize
72KB

Download
memory/2388-14-0x000000001C5A0000-0x000000001CAC8000-memory.dmp

Filesize
5.2MB

Download
memory/2388-5-0x000000001B5D0000-0x000000001B620000-memory.dmp

Filesize
320KB

Download
memory/2388-16-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/2388-17-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/2388-20-0x000000001BBD0000-0x000000001BBDA000-memory.dmp

Filesize
40KB

Download
memory/2388-19-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/2388-18-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

Filesize
56KB

Download
memory/2388-4-0x0000000001630000-0x000000000164C000-memory.dmp

Filesize
112KB

Download
memory/2388-3-0x0000000001620000-0x000000000162E000-memory.dmp

Filesize
56KB

Download
memory/2388-179-0x00007FF9430B3000-0x00007FF9430B5000-memory.dmp

Filesize
8KB

Download
memory/2388-190-0x00007FF9430B0000-0x00007FF943B71000-memory.dmp

Filesize
10.8MB

Download
memory/2388-2-0x00007FF9430B0000-0x00007FF943B71000-memory.dmp

Filesize
10.8MB

Download
memory/2388-309-0x00007FF9430B0000-0x00007FF943B71000-memory.dmp

Filesize
10.8MB

Download
memory/2388-1-0x0000000000660000-0x0000000000908000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads